Insights For Success

Strategy, Innovation, Leadership and Security

The internet's bad security is YOUR fault

technologyEdward KiledjianComment
Image by Nick Carter used under Creative Commons License

Image by Nick Carter used under Creative Commons License

As a security expert, my biggest security risk (in the corporate world) is people. I can buy the best technology and write the most efficient processes but if people get sloppy, everything falls apart.

Security and convenience (simplicity) are on opposing ends of the spectrum. Ultimate security means no convenience and ultimate convenience means no security. Did I mentioned that only through good security can you get good privacy?

We make decisions about relative importance of security over functionality everyday. If you use an Android smartphone and have enabled GoogleNOW, you understand how practical it can be for the Google hivemind to process everything about you and give you the information you need, when you need it, all without having to do anything. Go to the airport your boarding pass magically shows up on your lock screen or smart watch. Go to a foreign country, get the currency conversion. Go to a new city and see all of the important sights to visit right then and there. We love convenience.  

It is this convenience or simplicity that has caused the explosion of everything-must-connect-to-the-internet syndrome. When connecting to the internet meant you had to be a tech expert, buy $3000 of equipment, then setup complicated dialup services, only the brave wanted in. Now that all of the technical underpinnings are hidden, everyone wants to be on the net. 

But most users forget that the internet is not magic. There are companies and people working in the background to make all of this possible. None of these people or companies are non-profit charities. Our Internet Service Provider (ISP) sees all of our internet traffic. Our email provider knows who we message, why and how often. Our DNS provider knows what sites we visit and how often. SmugMug or Flickr see all of your photos. If you use a Chromebook (and I own one), you want someone to even manage your endpoint device.

Every Time you interact with an internet connected device, remember that it is logging and tracking almost everything you do. Some companies call it telemetry, usage information, meta-data but know it exists. They use it to improve their product and figure out whats popular and whats not. They want to know when something crashed, why and how. Often sending debug information along with the crash report, which could include personal data.

It is these companies, who have access to this treasure trove of personal and sometimes private information, that we are tasking with the  protection of our security and privacy. It is also failures in these companies that can lead to a violation of our privacy. Sometimes these violations are because of lax security controls inside the company. Sometimes these violations are performed by well funded, highly skilled, cyber-spies on behalf of national governments. Sometimes this information is stolen for fun and profit by "bad actors" (organized crime, competitors or the kid next-door).

An article in The Intercept (link) talks about a Snowden leak that claim's GCHQ and NSA operatives stolle the SIM encryption keys from Gemalto. You've never heard of Gemalto but they probably made the SIM card sitting on your cell phone right now. It's moto is "Security to be free". 

Once you have the keys, decrypting traffic is trivial
— Christopher Soghoian, the principal technologist for the American Civil Liberties Union

So it is a bad thing. We didn't want to (or wouldn't) implement security ourselves on our devices so we expect our carrier to do it.  They did, using Gemalto and it is now claimed that the keys uses to protect billions of smartphones has been hacked by national intelligence agencies. 

Secure Instant messaging is a good example. I use the common tools (because everyone is on them) but when I try to convince people to adopt the more secure Threema, they refuse. They want the security but don't want to create and manage keys. Securely exchange keys with the other party, etc. They want someone else to handle everything for them.

In the corporate world we employ expensive highly skilled specialists to manage these security controls because we understand the risks of losing control over our protection mechanisms. We understand the value of what it is we are protecting, but do you? 

Every time you give up some privacy in exchange for convenience (or a free service), do it consciously . Ask yourself what’s in it for the other party and is the trade really worth it?
— Edward N Kiledjian

You are your own security's worst enemy.

The long term solution is

  • more stringent government regulation forcing clearer explanations of what data is collected, how, when, by whom and for what purpose. 
  • more intelligent consumers that are aware "nothing is free" and better equipped to make decisions regarding their personal privacy and security. 

Now go on about your day and be secure