NFC [ Near Field Communication ] is a clever outgrowth from RFID. This group of short-range wireless communication standards will enable all kinds of conveniences previously un-attainable with our so-called mobile devices. Mostly phones, but practically any un-wired NFC-capable device, eventually, will be able to communicate witho other NFC-capable devices, giving the consumers a wide range of features for commerce, information exchange and ad-hoc authentication. Unfortunately, NFC continues in the trend where design for security came in as an after-thought, rather than a primary focus, going in. Perhaps it’s not fair to place the security burden on NFC, after all, it’s merely a low-level transport mechanism. What’s the worst that could happen?
It’s a simple to envision scenario. As a perspective shopper crosses the brick-and-mortar threshold, between embedded RFID and NFC, what’s inside of my wallet is quickly scanned. This isn’t your grandparents’ era of business analytics based on years and years of historic data warehouses, this is near-real time data gathering and heuristic algorithmic triggers that may sample the cologne I’m wearing, track my line of sight eye movements between the aisles and possibly even processing bits of my DNA left behind. Am I describing some scene from Minority Report? Hardly. This is active pursuits by some of the top mobile consumer technologies company currently. Remember last holiday season’s attempts to track supposedly anonymized GPS signals inside of malls?
Mobile is changing our lives. We now have nearly un-dreamt amount of computing resources in our pockets, and it has deeply enriched our day to day experiences, especially for the current consumption-centric life styles we lead. But, companies seem to be resistant in adopting the same outlook, and are in fact, not embracing the BYOD movement. MP3 players were OK, but corporate IT seems so resistant about hooking up your Samsung Galaxy Nexus for Email, or adding you to the WiFi network. Don’t they get the value? That’s just the business being slow and monolithic and missing out on the wonderful opportunities, right? Not so fast.
The sphere is lit up with the latest tale of woe, which has befallen a prominent writer in the technology space. It is a terrible event, to experience this particular invasion in one’s life, and not to mention the loss of not just the sense security but the actual loss of invaluable data, especially pictures of children that cannot be replaced/retaken. While I empathize with the plight to reconstruct his life, and appreciate the journalistic approach toward soliciting insight from the alleged hackers… I’m not entirely in agreement with the finger-pointing to Amazon and Apple. At least not in the same way that’s being discussed. Yes, two-factor authentication is desirable. Yes, it’s a good lesson for security vs. ease-of-use. Yes, entrusting information to others expose oneself to risks, when the other party isn’t demonstrating the same diligence at managing your information. However, the failure somewhat overlooked, once again, is that social engineering was the attack vector — similar to the CloudFire incident from a few months ago — and no amount of technology will solve this no-tech grandfather challenge.
I’ve already proposed an approach that will encourage Ops to avoid doing more work. Now, I’m going to expand on that less-effort trajectory, and share the following fortune-cookie wisdom: “Doing nothing is better than doing something…” although, you have to add “…stupid” to the end of that, to truly gleam this particular gem. Let’s face it, if the smartest and brightest people were always at the helms, there’d be a real dearth of topics for discussion here at feyn.com. Because there are under-qualified decision makers in the mix, who often measure performance with misapplied KPI or othere misguided metrics, there is a constant push to demonstrate value by doing something. That is probably the worst combination when it comes to operational soundness and security — doing something for the sake of doing, especially when there is an unlikelihood of doing something smart.
It still amazes me, sometimes, that SQL Injection ever came into vogue, becoming one of the poster children of web application vulnerability. It’s outright jaw-dropping that in 2012, an iconic web company would fall victim to this technique. I could go on and on, about the number of things that went awry and/or should’ve been done. But this appears to be a chronic failure, with each generation of software engineering re-inventing the same bug all over again, like an endless nightmare of unlearned remedial lessons. SQL injection attack is a variation on one of the oldest secure computing tenet no-no’s, and that is the implicit granting of permissions.
I started out titling this as The Challenge With Mobile, but the thoughts that keep me awake and go bump in the night are really troubling. I wonder and worry if people even recognize this brave new, slightly dystopian, world of technology we have created for ourselves — one which the phone is never off. An always-on and always-connected digital frontier, full of irresponsible citizens who fail to exercise their civic responsibilities on minding their own perimeter defense… thus as a result, endangering my co-existence within that space. If the initial wave of personal computers joining the Web unleashed a wave of malice and destruction, you ain’t seen nothing yet.
It’s human nature to be trusting. We don’t want to think people are out to get us, because we don’t want to live in constant fear. I get that. As a normal human being, you can’t walk through life being afraid of your shadow and paranoid that someone is out to get you. However, as a software developer writing internet deployed code, that exactly how you have to think. If you are constantly vigilant, do everything right, cross all your t’s and dot all your i’s, you will still introduce vulnerabilities without knowing it. Sometimes, the attack will come in ways that will blow your mind…like say a camera phone in a coffee shop.
As problem solvers, we dream of a positive vision of the future, based upon the belief that the challenges and problems we face are solved by good design. OK, stop the playback. Back in the real world, the dominoes occasionally get knocked down in sequences un-imagined and worse, in ways where our complex and richly-integrated systems cannot address. Some of it will be act-of-god happenstance, some will be introduced by the ever fallible humans, while others are just malicious intent. It’s a harsh reality, but that is and have always been the Internet in spite of funny cat GIFs. When you are creating a solution – from authentication to authorization — make sure the design takes some consideration for all intents, not just the ones derived from planned and expected user stories.
It’s not the easiest pill to swallow, and more importantly, imagine trying to convince the management team to not only implement an external security review program, but to provide incentives for the resulting discoveries — that’s right, we’re going to pay others for our mistakes. Yikes! Let’s face it, there will be bugs in software, despite development process, review and QA. Items will get missed, and unintended feature or behavior will creep into the code base. The systems have become complex. The interactions are not always planned or even manageable with 3rd parties. Likely, only non-developers won’t acquiesce to that simple truth. It’s an understandable sentiment by the business stakeholders, as their focus isn’t on design or implementation of complex application logic. However, there should be one common ground within any organization, and that is the need to be diligent stewards of their customers, and by extension, their customers’ information. Security is the bedrock of excellent customer service.
The constant and rapid pace of technological innovations creates easy opportunities for advancement. In this era of fast adoption and, occasionally, fast expiration, it’s not easy to slow down and examine how the changes have affected our lives. While I love the utility available to me in this inter-connected world, I am not a fan of the dichotomy of providing free service and requiring business profitability that has emerged as the default playbook for achieving and measure success as a company. Consumers have become increasingly naïve in their willingness to give up the power of purchase, and in turn, companies see the individual not as a customer, but simply another addition to the user base collection. When there is no price to pay, you are not a customer; you are just a product being sold.
If, as a developer, you care about security, you need to be constantly running pentests against your own code. Constantly – and I’m not talking about buying an off the shelf tool that will do the scanning for you. Those are important, but they’re something that QA or Operations can use to cross-check your work. What I mean is good, old fashioned, trying to break into the software you just wrote. This shouldn’t be too hard, you wrote it! You know where you usually slack off, so you’re in the best position to find vulnerabilities in your own code.
Sleek UI design and smooth user experience have become the norm, and a whole generation of users have grown up without knowing and understanding the risks of being online. Who could blame them? Being conscious and aware takes effort, and the marketing machines routinely churn out the chorus of “let us take care of it for you.” I mean, who would want to be concerned with virus/malware, that’s so… “PC” in this post-Apple world. A sea of [Mac] users have been groomed for the easy, hands-off, existence. Their complacency is to be expected. And ripe for exploitation.
As much as I value and protect my own privacy, when the roles are reversed, I like to be Big Brother at every step of the way. Perhaps, that is why I go to some extremes when it comes to protecting my personal information, because I’m very aware the kind of “Big Data” collection and what will yield from data mining the habits of people on every aspect of their lives. As it turns out, defending the one is not sufficient, because you cannot police the entire [social] network.
The security wires are still buzzing about the LinkedIn compromise. Again, as I’ve stated recently, a good post-mortem takes time and it’s best to ignore all the hype and speculation until most — if not all — of the facts can be established. What is surprising, is how much coverage there is about LinkedIn’s problem, as compared to the near-complete silence on Verisign’s management not being made aware of breaches dating back to 2010 that only came to light in 2012. That news is scary. This story is just irritating because of the number of opportunities for LinkedIn to have performed this upgrade without the hand being forced.
All the software and audit and compliance in the world is useless, when a single person opens the door for the Big Bad Wolf to waltz in. Yes, code review is important. Absolutely, audit is essential. And without a question, process can save lives. None of that matters if the person entrusted with the key is readily duped by conversation. Social Engineering, it’s a grand-daddy when it comes to security risks. Sadly, technology has yet to come up with the panacea for stupidity. Just look at what happened to CloudFlare.
The question is simple — do I trust the entity behind a particular website? The answer is less so, unfortunately. Misguided efforts at [micro]managing cookies, User Agent IDs and IP proxies betray the simple fact that I cannot hide from being myself. This was a slightly painful realization, once I had a glimpse behind the curtains and saw that the Wizard is not only great and powerful, He is everywhere, and rightly so. In a world of constant vigilance, even the ones casting no shadows are as visible as the endless tweeting of teeth brushers.