Time and Cost in Favor Of Security
Beginners dilemma: do it properly and actually learn something new or do it so it gets done fast. Never mind the flexibility, security and the feelings of future developers as long as the task at hand gets done with minimal time consumption and makes one look like a pro, for the moment.
That kind of attitude reminds me a mix of The Office and The Simpsons. Yes – you can hack together something that barely manages to fulfill the current requirements… but then someone exploits the broken system or it collapses because a change in the environment or another developer has to do it over again, maybe from his own spare time because the business side can’t justify the time spent on refactoring a kind-of working system.
I’m in full agreement that we (the developers) can’t follow the golden rules all the time in the real world and compromises must be made to lower the costs… and then I wonder what the clients would say if the company told them point-blank from where the money is/was saved. The fact that the developers think the website/app will never be under any sort of attack, trust the user to input the right kind of data or guard their cookies is naive.
A situation like that is even more passionate when the team is split: one of the developers believes and is willing to do extra work to have some confidence in his creation, the other just does like it’s always been done.
A Real-world Example
Imagine now that you had to set up a WYSIWYG editor with file upload capability – like CKEditor. CKEditor has 2 crucial parts for the server-side. One is the config file, the other the actual (PHP) uploader script. Below is a section of the config.php file.
/**
* This function must check the user session to be sure that he/she is
* authorized to upload and access files in the File Browser.
*
* @return boolean
*/
function CheckAuthentication()
{
// WARNING : DO NOT simply return "true". By doing so, you are allowing
// "anyone" to upload and list the files in your server. You must implement
// some kind of session validation here. Even something very simple as...
// return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized'];
// ... where $_SESSION['IsAuthorized'] is set to "true" as soon as the
// user logs in your system. To be able to use session variables don't
// forget to add session_start() at the top of this file.
return false;
}
As you can see, CKEdit doesn’t really do anything until true is returned from the CheckAuthentication() function. It’s really tempting to do just that and skip the whole auth-thing to win those crucial minutes. The red (figuratively) warnings above don’t really mean anything because surely, who’d ever want to attack our site OR who’d ever think to exploit the file upload script? We have one login page in front of the uploading script anyway.
Yeah. So what really happens is that the user doesn’t notice anything unless (s)he has some technical knowledge and knows what to look for: an unprotected HTML page that accepts POST data. You’ve solved the current situation and don’t want to go back to deal with the problem. The customer is (wrongly) happy and you get paid.
You should never neglect the most basic security to win time – not on anything that eventually ends up in production. The problem above would be solved by including the framework/code that manages the main site and calling the auth check function. On Kohana 3 it would look like this:
define('SUPPRESS_REQUEST', TRUE);
require('../../index.php');
return Auth::instance()->logged_in();
Done! Problem solved. Did it really take that long? Assuming you knew something about Kohana and it’s modules.
If no-one specifically forbids you from thinking about security, do think about it. If you’re not allowed to write code you’re confident in, tell the managers they get what they pay for or find a new job.
Data Security and Cryptology Lecture #3
Lecture homepage: http://enos.itcollege.ee/~valdo/turve/
Safeguards
- Preventive safeguards – Prevent security incidents from happening. The main line of defense.
-
- Minimize vulnerabilities and risk probabilities
-
- Prevent attacks
-
- Decrease the ripple effects of a security incident to other IT assets
-
- Identifying safeguards – Tell us that a security incident has occurred so we can take suitable action.
- Reconstructive safeguards – We need to restore the environment before the security incident occurred. For example, if the firewall was disabled, it needs to be re-enabled ASAP. The more important the object, the more attention should be given to reconstructive safeguards. Methods:
- - Backup
- - Renovation
- - Replacement
Identifying safeguards
- Avoiding the incident
- Identify the incident
-
- - Operative Identification: If the incident happens, we immediately want to be notified and take immediate action. Example: fire alarm.
- - Post Identification: If operative identification is not possible, we want the get the information as soon as possible. Log files and passive alerts (e-mails by crontab).
- - Evidence Based Identification: Security elements added to IT assets to check integrity/confidentiality.
Examples: Signatures on paper documents, checksums on files
- * Proving the incident happened (later)
Classification of Safeguards by IT Assets
- Physical assets
- Information / data
- Software
- Ability to reproduce a product/service
- People
- Intangible aspects
Components of organizational safeguards
- Activities that someone must do
- Activities that are prohibited for certain persons
- Sanctions for doing something prohibited
- Sanctions for not doing something that must be done
Another reason to distrust open WiFi
Foreword
I connected to a wireless open network in a very busy part of Tallinn just moments ago. Something unexpected happened that made me once again thank Tux I’m slightly paranoid.
- Image by miniyo73 via Flickr
As you undoubtedly should know, wireless networks – especially open and weak (WEP encrypted) ones are dangerous. Dangerous in a sense that everything you send over a network is as visible as if you were giving a lecture. Think it over.
No-one (except maybe Google) cares that you search for restaurant reviews. But what about sensitive information like sent passwords or any other kind of data I have access to, such as…
I was taught the basic skills on how to intercept digital data that’s traveling between networks on the first semester of the freshmen year. In fact, any kiddie could pull it off. Because of that knowledge, I tend to avoid logging in to anything unencrypted during my stay outside the pseudo-safety of my home network.
- Login information (Facebook, mail, blog, travel, ANY kind of site)
- IM message sessions
- Vulnerable services running on the machine (file server)
Some More Background
As you might (not!) know, Facebook only just recently added a very important security feature (of course, you have to opt in for it – funny, usually one has to opt out of new ‘features’). Enabling secure(r) browsing means that the communication channel between your computer and the Facebook server is unreadable to the dude sitting behind the next table.
I’m sure you have connected to a free WiFi hotspot and seen the default welcome page that seems impassable unless you click on the “Yes, I take full responsibility for my actions while in your network” button. That's all warm and fuzzy, but it's also possible to configure the welcome page like so that it redirects you to a website of the owner’s choosing after you click on the button. That’s usually the companies website.
So what the hell happened?
With that background comes the main point of the post. The network I connected to had decided that the redirect page (after I click “Agree, let me use your WiFi”) should be their Facebook page. Okay, all well and good.
Except…
Remember that the connection to Facebook is not encrypted by default? And since I was already logged in from earlier, the data would have moved openly across several network hops, for everyone with motive to see, capture and/or modify.
Even if I weren’t already logged in, extensions like LastPass do that automatically. As if the initial request weren’t enough, there are loads of hidden background queries to and from the Facebook server – the chat window, friends online, notifications… all moving over the unsecured HTTP, wireless.
Not scared? You should be. Identity theft could sound like an obscure idea, but think of what you’d do if you had a day to live and no responsibility for your actions. You’d probably rob a bank or something.
Wrap
Weren't it a beautiful world of rainbows and butterflies if everyone knew at least a little about the threats in (open) networks? If you must check in with your digital social life, opt in/enable the goddamn encryption. It’s a one-shot deal, doesn’t cost you anything and is a hell of a lot better than explaining to Tim that you are not “It’s complicated” with his wife.
Also, a note to the unnamed coffee shop – please don’t pull stunts like that – throw the visitor to the wolves… or at least give a five second warning or something!
P.S I’d like to know more about what Facebook actually does when the user is idle – what type of queries move between the server and the client. Please leave a comment below if you know something about it.
On Facebook and privacy
Everyone is in Facebook. If you're not in Facebook, you're nobody.
That's the reason many users of the popular social network site, Facebook, are still sticking to it. It's not that it offers something that we cannot live without or couldn't find an alternative to – we're there because everyone we know – and often, don't know – are using the site.
Facebook has lost it's original purpose – connecting friends. People as in individuals, to other people and more importantly, a network of friends. What started out with Mary knowing Tim has become The Internet knowing Mary. Friend lists have grown, with the average number of friends being 130 (1). Companies apply increasing pressure and invade into what was supposed to be a network of persons, but has become a target group for products , services and campaigns instead.
How many people do we really interact with on a weekly basis? And how many of them are truly what could be described as "a person attached to another by feelings of affection or personal regard" (2)? Nowadays, it's not uncommon for me to see people accepting friend requests of others they barely know, seemingly only to increase the counter. Do they realize they give the person access (and the ability to cause harm) to their personal life?
The answer must obviously be no, for how else could we see such a high disregard and low awareness on different security and privacy issues? The bad guys love Facebook too. It's an ideal incubator for all sorts of profitable things. Just take a look at some of the articles published in my favorite IT security blog NakedSecurity – scams spread like a wildfire and what's worse – even the obviously fishy ones get customers.
To be fair, the same can be said about the virtual world outside Facebook… but I, as a user, don't feel any more secure in there than in the wild… Look at it this way: Windows (XP) is the most widespread operating system on the planet. What's the most popular target for malware, adware, spyware, viruses…? The matter is not improved by the companies jumpy privacy policies, it's default settings and amount of scams able to reach the network through compromised accounts and applications.
In the light of all that whining, am I trying to say that people should ditch Facebook? No. The service is like a car, in a way: use it right and you can open new opportunities, drive drunk and it doesn't end well…. but unlike driving, neither Facebook nor the Internet require a certification process.
If you're like me – just a tiny bit paranoid and protective about privacy – you might have heard of a project called Diaspora. Essentially, it's a replacement for Facebook, designed to give you and only you control over your data…but that's a poor way to put it. Prof. Eben Moglen can explain the reasons behind it a lot better.
To cut the length of the rambling, here are some of the points I'm not happy about:
- The amount of noise far outweighs any useful information I signed up to get…even though my friends list, likes and authorized applications count is relatively small
- No verification process for applications – do I really want them to access my personal data?
- Uncertainty about privacy settings – the default ones are too open, they're confusing and change often. Only post stuff you'd be willing to see in a local newspaper?
- Invasiveness – recommendations to give out my phone number and connect to my accounts on Twitter / Gmail etc
- HTTPS off by default
- Inability to bulk-delete my data…without deleting my account
The concept of a social network is a fabulous one on itself…but Facebook's policies about it leave reason for dissatisfaction.
With all my heart, I hope you continue to exercise your role as a Facebook citizen, but please do so responsively. Realize that the information you give out will stay there and you are not in control of it any more.
References:
- https://www.facebook.com/press/info.php?statistics (23. 05. 2011)
- http://dictionary.reference.com/browse/friend
Disclaimer: This is an article of personal opinion. The aim of the article is not dishonoring the reputation of Facebook.
Related articles
- The average 22-year old in the UK has a thousand Facebook friends (thenextweb.com)
- 8 ways to protect your Facebook privacy (usatoday.com)
- Facebook Scams You Need To Know About: The 9 Most Common Hacks And Attacks (huffingtonpost.com)
- Protecting Your Kids on Facebook (maketecheasier.com)
- Facebook Roundup: IPO, Privacy, Like Button, Eventbrite, Acquisitions, Winklevoss Bros, Baseball and More (insidefacebook.com)
Teachers and privacy
UK teachers' union says no to bill allowing searches of student mobiles
- Image via Wikipedia
About The Author
Ando “David” Roots is a college student and a software developer from Kunda, Estonia. Living, working and studying in Tallinn, he hopes to get his bachelor degree from the Estonian Information Technology College on IT Systems Development. 