Friday, September 8, 2017

Security and Ethics

Today let's discuss reputation, security, ethics, why they are important and how they affect online security.
Security is important. We also know that there is no such thing as absolute security. But can we do it better?

Of course. We can and should do our best to secure our applications, infrastructure, code, policies, etc - but in the end, security is just another technical requirement. A very important requirement that supports the reputation and the perception of a company. On this post, let's discuss reputation, security, ethics, why they matter, why they are important and how they affect online security on information technology.

Reputation

Reputation is a very important asset companies (and people) should pursue and work hard to keep because once lost, it's hard to gain it back. For example, a recent survey made by The Identity Theft Resource Center (ITRC) found out that 41 percent of surveyed people said they wouldn't do business with the breached company again.
With that said, let's discuss two LastPass and Log Me In before we can jump on insights on the latest Equifax hack.

The LastPass case

I was looking for information on password managers and found this interesting post on Troy Hunt's website describing why he decided to stop using LastPass after it was acquired by LogMeIn:
Then, on the blog post he said :
Companies like LastPass live and die by reputation and incidents like their breach in July that exposed master password hashes are hugely significant due to the impact it has on the perception of the company.

The Equifax case

Now, let's jump to Equifax. According to Wikipedia,
Equifax collects information on over 800 million individual consumers and more than 88 million businesses worldwide. Equifax has US$ 3.1 billion in annual revenue and 9,000 employees in 14 countries.
Not a small company, right? But what about the hack?
In September 2017, Equifax announced a cyber-security breach, which it claims to have occurred between mid-May and July 2017, where cybercriminals accessed approximately 143 million U.S. Equifax consumers' personal data, including their full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers.

Equifax also confirmed at least 209,000 consumers' credit card credentials were taken in the attack. The company claims to have discovered the evidence of cybercrime event on July 29, 2017. Residents in the United Kingdom and Canada were also impacted.
According to Bloomberg and ARS Technica (just to name a few) it's probably "one of the biggest hacks in history". Personally, I couldn't agree more with them. ARS Technica describes:
the Equifax data breach is, "very possibly the work leak of personal info ever." The breach, via a security flaw on the Equifax website, included full names, Social Security numbers, birth dates, addresses, and driver license numbers in some cases. Many of the affected consumers have never even directly done business with the giant consumer credit reporting agency.

A highly problematic solution

If all of that wasn't enough, ARS Technica still reports that the site created to alert users -  www.equifaxsecurity2017.com - was "highly problematic for a variety of reasons". For example, it was found on 9/8/2017 9AM PT that the site was leaking data:

Source: ARS Technica

Yes, an open endpoint leaking data on a website created to alert users that everything is supposed to be OK. It was removed a little after but you get it. The company that already had their reputation and perception damaged (because of insecure systems), was trying to calm everyone creating a website full of naive technical defects.

A highly problematic solution - Part Deux

Update: On Sep 17,2017, Brian Krebs reports that researches found an Equifax in Argentina having access to extremely confidential information configured with admin/admin; 
It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”
How critical is that? I think we're seeing a sad pattern here. Hope we don't see any other chapters in this history because the leak is already pretty critical.

A highly problematic solution - Part Trois

Update: On Sep 21,2017 - Yes, it can get worse! According to The Verge:
In a tweet to a potential victim, the credit bureau linked to securityequifax2017.com, instead of equifaxsecurity2017.com. It was an easy mistake to make, but the result sent the user to a site with no connection to Equifax itself. Equifax deleted the tweet shortly after this article was published, but it remained live for nearly 24 hours.
Gizmodo captured the tweets:

Sourcegizmodo.com

Pretty sure there's way more out there exploring the situation. The level of incompetence is astonishing!

Ethics

And then, if all of that wasn't enough, we get to Ethics. Bloomberg News reports that three Equifax managers sold stock before cyber hack revealed. In fact, Wolf Richter greatly summarized this for us:
Turns out, Equifax got hacked – um, no, not today. Today it disclosed that it had discovered on July 29 – six weeks ago – that it had been hacked sometime between “mid-May through July,” and that key data on 143 million US consumers was stolen. There was no need to notify consumers right away. They’re screwed anyway. But it gave executives enough time to sell 2 million shares between the discovery of the hack and today, when they crashed 13% in late trading.
Yes, the interval between the supposed hack and it's public announcement was enough to allow insiders sell 2 million shares. How can a company have its perception improved like that? 

Probably not going to happen in the near future, especially after more and more bad news about websites misconfigured, data leaks and links to a fake site.

Conclusion

So, that's how security, reputation and ethics converge. Perception derives from those and is highly influenced by them.

Security is hard. Ethics in the other hand, can and should be easy - but only if  we want to do it.
It's about time companies do their best to protect their biggest asset: their customers, their data, their privacy. And it all can start with us, developers.

See Also

Security and development: how much is being done?
Security is only as strong as the weakest link
The Laws of security
Privacy and Ethics
Security Boundaries
Integrated security vulnerability alerts on GitHub - Why it matters

For more security posts on this blog, please click here.



Update [Mar 13, 2018]: There is a very nice description on why you should consider migrating from LastPass here.