Tuesday, May 27, 2014

Surprise! Big vendors don't keep your data particularly secure

As Yozons talks with various companies regarding our U.S. Patent No. 7,360,079, we were surprised to learn how many vendors do not treat their customers' data securely.

I suppose after decades of viruses targeting Microsoft products, Adobe PDF exploits -- heck Adobe's products in general -- Target losing 40 million+ of its customers' credit cards numbers and other personal information, it shouldn't really be a surprise.  We just thought that web contracting vendors would be different.  We were wrong.

Some vendors claim they encrypt their customer data and documents using impressive sounding things like 256-bit AES, but if you read the details, you will find they only do so using HTTPS when your data is transferred over the Internet.  Yes, HTTPS is a key starting point and is fundamental to our patent, but once they store your data on disk, all bets are off.

Some do not make any attempt at encrypting your data when stored.  I guess they just take the "trust us" or "what? me worry?" attitude and are exceedingly cavalier with regard to your data.  Laws surrounding health information (HIPAA), financial information (GLB, PCI) and just plain common sense regarding any sensitive business information (NDAs, trade secrets, competitive advantage) should make data encryption the standard for any service provider that deals in web contracting and electronic signatures.  Rather than let their servers do a few extra calculations to keep your data secure, these vendors choose not to.

Others do at least encrypt the data on disk, but if you read carefully, you'll learn many are using what's known as disk encryption and/or filesystem encryption.  That is certainly a step up over those who don't encrypt at all, but such encryption makes the most sense on laptops and other portable electronics.  That's because those portable devices tend to be lost or stolen.  But larger servers in a secure data center generally don't suffer issues with disk theft.

So what's wrong with such disk/filesystem encryption?  Well, disk/filesystem encryption typically is unlocked during the server boot process.  It's also fully automatic, meaning that when a file is read, it is automatically decrypted, and when a file is written, it is automatically encrypted.  If your database stores its tables and indexes on such an encrypted disk, the data is encrypted automatically when stored, but also decrypted automatically when read.

This means that your data is only secure against physical theft of the disks.  If a hacker gets access to the server, every file the hacker reads will automatically be decrypted.  If a hacker exploits an SQL injection or other web site vulnerability, when it requests data from the database, it's all automatically decrypted.  There's no run-time security whatsoever.  Heck, if they implant a virus on the server, such a setup will dutifully encrypt it just like your sensitive data.

Unfortunately, far too much theft occurs from insiders -- think Edward Snowden for a particularly egregious example against an agency that takes encryption and security seriously.  With disk encryption, system administrators can easily view your data just by running queries or reading files.

While Yozons may be small, we're at least smart enough to keep customer data encrypted before storing it to disk or into the database.  The advantage is that database queries and reading files will return only encrypted data.  If the disks are stolen, the data is encrypted.  Backups are automatically encrypted.  The use of disk encryption helps, but only in limited, far less likely scenarios.

When dealing with sensitive information like Yozons does on a daily basis for its hundreds of thousands of users, Yozons practices what it preaches when it comes to privacy.  Customer documents are alway stored encrypted, as is all of the data populated into forms. Some of the data may not need special security, but we also handle a lot of financial information, human resource information, and other sensitive business communications.

As a vendor, we don't keep your private data "in the clear" to save a few computing cycles.  As a customer, you shouldn't have to worry if hackers or system administrators can sift through your data.  Don't be surprised: read the details and ask questions of your vendors.

Sunday, May 4, 2014

Security theater is neither secure, nor entertaining

Bruce Schneier is known for coining the term "security theater" to describe security procedures that "look" like something is being done, when in fact, no actual security is provided.

On a recent trip with my family, we saw this yet again with the TSA agents at the airport.  My wife, son and I all have Nexus IDs issued by the border patrol.  To get such an ID, we had to pass a security background check, had our fingerprints taken, and they did an iris scan (biometrics of the eyes).  The TSA now offers a "TSA Precheck" program for travelers who have such IDs to expedite travel through the security lane at participating airports and airlines.

This program is pretty nice, making air travel nearly as easy as before the 9/11 changes that have done little to improve actual security.  (It's recognized that securing the cockpit doors and general passenger awareness have been the true security improvements despite the billions spent on other things.)  We no longer have to remove our laptops or take off our shoes, and we generally only have to pass through a metal detector.  It is a breeze.

What I didn't realize is that the nonsense about "3 ounce fluid" limits is still in place.  We bought two jars of blueberry preserves from Andersen's in Buellton, California, one for ourselves, and one as a gift.  Since Alaska Airlines charges $25 per checked bag, we skipped this convenience that was once the norm and is still practiced by a few better run airlines.  The TSA agent gave us the option to return to the counter and check our bags, but it wasn't worth $25 to bring two jars of blueberry preserves home in one bag while the other two bags would still have to be carried on lest we pay $75 for them all.

Who even thought preserves were a fluid?  We thought they were fruit.

The TSA confiscated the jars and, knowing that they could very well be a blueberry bomb, tossed them into a plastic bin right behind them.  They are so concerned about the safety of the airplane that they make no effort to secure confiscated items where they work all day and thousands of passengers pass by, proving that there is no actual security concern.  I mean, they even offered that I could check my bags as if a blueberry bomb is secure in the cargo hold, but not in the cabin.

Was the TSA really concerned that blueberry preserves, carried by a family all with their sophisticated IDs, after returning from a weeklong trip to a robotics competition, visiting our 80-year old aunt and uncle, and then visiting friends we've had since the mid-1980s when we worked together at a bank?  Did they make any attempt to think about anything?  Ask us any probing questions about where we got them like Customs would do for international travelers?  The answer to all is "no."

That's security theater.

Ironically enough, while waiting at the gate, Alaska Airlines offered to check our bags for free and give us priority boarding to do so.  All of the passengers that simply paid $25 to check their bag paid too much and never received preferential boarding.  We saved $75 and boarded early.  How's that for a nonsensical policy?

There are other examples of poor security in the name of usability, including "link/URL shortening," those links that Twitter, Google, Bit.ly, Facebook, LinkedIn and others send out that essentially hide the true nature of a link behind a name like "http://t.co/aFKZJ9rTlM".  This makes it much easier for spammers and virus writers to distribute their payloads because you cannot determine the validity of the web site you will be visiting.  This is a "convenience" that only increases the likelihood that more victims will suffer.

Before link shortening, Microsoft did something similar with Windows when it decided to hide file suffixes.  We all learned early on that files that end in .EXE, .COM and .BAT could be run on your PC, and we later learned that .PIF, .ZIP and .PDF were also often dangerous and could be used to carry malicious content.  Then Microsoft decided that helpful information like this was "too long" and started to hide them by default.  So now files like Resume.doc.exe were shown to users as Resume.doc, making a malicious executable appear to be a Word document.  Not showing a few characters may have seemed a good idea, but there are untold numbers of users who suffered because of this security mistake.

We see this also in mobile browsers, both on phones and tablets, where the browser hides the details about links in the location field and just shows the domain name.  Once again, this user interface convenience just allows for hiding details that are useful to those who are security conscious and show some interest in the data being sent in link parameters.

The Firefox browser has taken to showing a warning icon next to secure web sites using HTTPS if they only secure the domain name rather than the company that owns the domain name.  This makes perfectly secure web sites appear to be less than secure, adding no real benefit except to vendors who sell more expensive web site SSL certificates.  The problem is that many web sites are service providers, so trust shouldn't just be placed in the vendor operating the web site, but the customer who is using that service to send you information, take your order, etc.  If you are buying from Vendor A, but they use Provider B's web service, you will see Provider B's domain name and "verified" certificate status, but there's no reason to misplace trust in Vendor B because you may trust Provider A who has been vetted only slightly more.

Sadly, this lack of security understanding goes to many well established e-signature/web-contracting vendors.  It seems that many such vendors, despite their fancy web sites and millions of investor dollars, do not even take the basic security precaution of encrypting your documents and data when stored on their systems.  They proudly proclaim they use 2048-bit encryption, but this only is for the short HTTPS transfer of data over the Internet.  Once stored for a much longer time in their system or database, your data is entirely exposed to system administrators and potentially to hackers who constantly find ways to steal such data through other sloppy coding.  This happens repeatedly, yet such "well known" vendors often do not take the simple precaution of securing your data for you and helping you comply with laws and regulations surrounding securing financial and personal information.

We have also discovered that quite a few e-signature vendors don't even apply digital signatures when you sign.  This seems most unusual since digital signatures are the tech standard for this purpose and long pre-date the vendors who are offering e-signature services.

Trust is misplaced when you realize that your e-signature vendor neither secures your data nor digitally sign the documents when you apply your electronic signature.  Such sloppy security practices only serve to save them a few dollars while putting their entire customer base at risk.

Security theater is neither secure, nor entertaining.

Yozons has the right solution for your enterprise as we understand security, keeping your data secure at all times and applying a digital signature at every step of your online process.