A lot of people feel
that we only really wake up to security when we’re stung by an
attack. I’m not sure this is true. For example, we might learn less
about security when our house is burgled than we do when we lock
ourselves out. We always manage to get back in eventually, after all.
We might find inventive ways to gain entry or call a locksmith who
will have the door open in about five seconds. Either way, we learn
something about our house’s vulnerabilities and how secure it
really is.
We might remember
that one slightly dodgy window latch we’ve been meaning to fix and
wonder if we might be able to wiggle it open from outside. We might
use an improvised device to see if we can open a door from the inside
through the letterbox. We wonder whether we could use that rock in
the garden to smash a window. We worry about setting off the alarm,
but then remember that nobody takes any notice of alarms anyway.
Whatever – and
regardless of whether we succeed – we’ve suddenly thought a lot
more about home security than we ever have before. In contrast, when
we’re burgled we tend to assume that the burglars have secret
knowledge or skills because, well, that’s what burglars do.
We expect burglars to be able
to gain entry if they try long and hard enough, but we assume this is
because of their ninja skills, not because our houses are all
fundamentally insecure.
It’s
only when we try to break in ourselves that we realise the truth.
This
is why penetration testing (aka
pen testing) exists. A pen test is an authorised attack on a
system designed to expose its vulnerabilities so that they can be
fixed. It’s the equivalent of the desperate householder trying to
break in to their own home. There are many pen testing specialists
out there and the field seems to be growing. This is because to take
security seriously, you must see the system from outside and tech
companies are increasingly recognising this.
This is also true of
our own personal systems: our networks of computers, tablets, phones,
ebook readers, digital assistants, smart devices, connected
lightbulbs, software, services (such as social networking, online
purchasing etc) and – importantly – our friends and family. We
need to think about those things as if we were trying to gain elicit
access to our own stuff if we are to protect our privacy and safety.
A trivial
example: we might not feel a need to lock our computers when we
leave the house, because the house itself is locked and anyway, it’s
annoying to have to type in passwords every time the screen locks.
But we’ve just seen how easy it is to break into a house. It’s
not unreasonable to expect that – increasingly – burglars will
enter our homes to gain access to our devices for the information
they contain as much as for the value of the hardware. Leaving aside
for now the standard (and incorrect) defence that “there’s
nothing interesting on my devices anyway” (which I’ll talk about
a lot more in weeks to come), our devices are very useful to people
with ill intent. They might not have any particular grudge against
us, but might use the data on our devices to steal our identities,
creating new credit accounts in our name, spending the contents and
saddling us with the debt and the damage to our credit ratings.
We need to think
about the things a bad guy might do if they had physical access to
our devices and implement safeguards which will stop them doing harm
or at least make it too difficult to bother. We need to think like
the burglar rather than like the complacent homeowner.
A more
complicated example: a security setup is only as good as
its weakest link. Sometimes the weakest link is a person or our
relationship with that person. Our friends and family might be
leaking information about us that could be useful to an attacker.
Which means, of course, that we are probably doing the same to them.
Here is one way we can weaken other people’s security without
necessarily knowing it:
When we use Amazon
to buy a gift for someone (to be sent to them directly), we’re
telling Amazon an awful lot about that person. We’re telling Amazon
that they are associated with us in some way, that perhaps it is
their birthday or anniversary, the kind of things they like (or at
least the things we think they like) and so on. If our friend also
has an Amazon account – which is very likely – then Amazon will
know even more. It will know about the people they buy
gifts for, the other people you
buy gifts for and might be able to track which of these other people
also buy gifts for each other. They’ll be able to infer how good
we all are at gift buying, based on the differences between what we
buy for other people and what they
buy for themselves.
They can infer the strength or quality of relationships based on the
money we all spend on each other and even on how late we leave it
before ordering something, whether we look at their wish lists and so
on. We’ve given away a lot
of potentially exploitable information
about people who didn’t give us permission to do so and probably
don’t know that it has happened. And chances are they’re doing
the same to us.
All
this information could be available to criminals whenever Amazon is
hacked, which will certainly happen quite often.
This
is why we need to think like burglars rather than householders. We
need to act like we’re locked out and have to find interesting ways
to get back in through improvised means. We need to be the fox in our
own hen-houses.
But
while I think this is sound advice, it isn’t very practical yet.
I’ll get around to more practical advice in the coming weeks. In
the meantime, here is an example to get you thinking about the
criminal mindset you’ll need to keep you and your friends safe.
When you last changed a password because you forgot the old one, did you do something like open a new message in your email client to temporarily store it before you could memorise it or store it somewhere more secure (I’ve seen people do this)? Do you know whether the email client saved that message as a draft? Draft emails are often a rich source of useful information, partly because we all tend to forget they exist.
Be
sneaky! Tell me about your sneaky ideas in the comments.
No comments:
Post a Comment