Security is a design issue

Of late I have been dismayed by the increasing number of security
breaches at web companies.

Very troubling is “exposure” of personal data, even worse when
kids are involved.

— — — — — — — — — — — — — — — — — -
Cory D: “Vtech is a ubiquitous Hong Kong-based electronic toy
company whose kiddy tablets and other devices are designed to work
with its cloud service, which requires parents to set up accounts
for their kids. 4.8 million of those accounts just breached, leaking
a huge amount of potentially compromising information, from kids’
birthdays and home addresses to parents passwords and password
hints. Worst of all, Vtech’s own jaw-droppingly poor security is
clearly to blame.”
 — — — — — — — — — — — — — — — — — — — -

Look, security is a design issue. For stuff, either God made it or humans
designed it. So until IEEE support for HSDTP (Heavenly Secure Data
Transport Protocol), security is a design issue.

<rebuttal>

“No, you don’t understand. We’re designers. Security is handled
by coders.”

First, don’t let “coders” do security. Hire some programmers.

Second, I feel an uplifting sensation. Do you feel it too? Elevator?
Nope. Helicopter? Nope. Ah, it’s the design thinking petard and
it’s going UP.

Surely security is part of “Designing for the Network”? Surely
responsible User Experience design includes preventing the user
experience of getting foxtrotted by crappy security? Surely design
thinking involves taking a whole system view?

<rebuttal>

“But you still don’t understand …”

Yeah, I get that a lot. I’m old.

“… see, what you don’t understand is that, even if I agreed with
you, as a designer there’s nothing I can do. It’s not my job as
defined by the org chart. Management would not appreciate it if I
started having opinions about security.”

Another thing old guys say: “Either you’re part of the problem or
part of the solution.”

There are only three reasons a profit-driven org would improve web
site security. 1 It’s the right thing, 2 Save money, 3 Make more money.

1. Ha.

2. No liability, no motivation. Cory D: “There are no real penalties for this
negligence.”

3. Raise consumer consciousness and make security a feature for marketing.

Let’s go with 3. Start out with “table stakes security.”

— — — — — — — — — — — — — — — — — — -
Cory D again: “Salt password database; take countermeasures against
code-injection attacks; use SSL to protect user passwords and other
sensitive information in transit.”
 — — — — — — — — — — — — — — — — — — -

Then convince management that people really care about it and it’s
worth spending more money because then on the site you can advertise legitimately better security as a feature .

As opposed to the standard vague untestable security BS: “Highest
standards, your privacy highest priority, blah highest blah blah.” Along with,
buried in the T&Cs, giant loopholes that let the org off the hook in
case of any breach.

If management isn’t convinced, then tell them security is an ethical issue
of design craft with you — see Design Petard above — and you
refuse to work on the site until they change their position. If they
still say No, find your Norma Rae and go on strike. An ignited
petard lifts all butts.

regards,
-fred

SECURITY TABLE STAKES … do it for the kids!

TOY MAKER LEAKS http://boingboing.net/2015/11/27/vtech-breach-dumps-4-8m-famili.html

/ Cory Doctorow / 2:08 pm Fri Nov 27, 2015
Bad toy security led to massive toy maker hack that leaked data for 4.8 million families

Vtech is a ubiquitous Hong Kong-based electronic toy company whose
kiddy tablets and other devices are designed to work with its cloud
service, which requires parents to set up accounts for their
kids. 4.8 million of those accounts just breached, leaking a huge
amount of potentially compromising information, from kids’ birthdays
and home addresses to parents passwords and password hints.

Worst of all, Vtech’s own jaw-droppingly poor security is clearly to
blame. The company didn’t salt their password database, take
countermeasures against code-injection attacks, or even use SSL to
protect user passwords and other sensitive information in transit.

The company was slow to respond to the first reports of the breach,
so that criminals who had the data had a longer window in which to
exploit it before Vtech’s customers knew to take action, and when
Vtech finally did acknowledge the breach, it weaseled and misled its
customers about the seriousness of the problem.

Troy Hunt, who operates the indispensable Have I Been Pwned service,
has written up a thorough and damning account of Vtech’s failings,
and what they mean for 4.8 million families whose trust Vtech
betrayed.

Now here’s where I need to be intentionally vague because
 despite their assurances that their system is now secure, they
 still have gaping holes that allow every kid to be matched with
 every parent. The details of this have been passed on to VTech
 and I’ll say this much here: there’s no simple fix. The flaws
 are fundamental and the recommendation I’ve passed on is to take
 it offline ASAP until they can fix it properly. You just can’t
 take chances with other people’s data in this way, especially
 not when they’re kids.
The average age of kids when their account was created is just 5
 years old. They have the sorts of login names you’d expect a
 parent to give their children; affectionate “pet names” in many
 cases. The kids are almost precisely split between girls and
 boys and not only has their data already been leaked in this
 breach, it remains at serious risk due to the implementation of
 the site.

When children are breached — inside the massive VTech hack, Troy Hunt/Ars Technica

http://arstechnica.com/security/2015/11/when-children-are-breached-inside-the-massive-vtech-hack/

$0.34 IS NO

MOTIVATION

http://boingboing.net/2016/03/09/home-depot-might-have-to-as-mu.html

Home Depot might pay up to $0.34 in compensation for each of the 53
million credit cards it leaked

This is terrible news for you and me. Home Depot wasn’t the first to
breach and won’t be the last. Every day, companies compel you to
give them significant, sensitive data in order to, say, get a work
visa, apply for a job, or get a post-office box. Home Depot breached
because it was grossly negligent, and it was grossly negligent
because it correctly assumed that there would be no real penalties
for this negligence.

If Home Depot had been hit for the full value of this breach, the
total societal cost that we will all bear in law-enforcement,
bailouts, and lost productivity from its wrongdoing, then their
investors would shit themselves — and so would their
insurers. Within the year, every major corporation would have
activist investors demanding cybersecurity insurance to a large
slice of the business’s full market cap, and insurers would be
hiring security experts to give these companies security
colonoscopies, demanding basics like password hash-salting, TLS,
data minimization practices, frequent audits, and all the other
basic measures that should already be in place.

But for so long as the value of a lifetime of identity-theft risk is
priced at thirty cents, none of that will happen.