Sunday, July 10, 2011

Secure Internet's Faltering Dreams


Many of the insecurities are human errors rather than computer errors. You could only engineer a system to a certain level for security and the rest of the system depends on the human operator for it's security.

Let's take for an you are accessing a website that runs over HTTPS and is secured with 256 bit Camilla or AES or whichever you fancy as the most secure algorithm with a SHA1 checksum (supposedly the most common secure algorithm for message digest). There is a small form to win an electronic prize and you decide to enter your credentials into that form on a secure page. A few days later, you noticed your email box is not yours anymore and "visits" from telemarketing people become more irritatingly frequent. Who do you blame ? Usually people would blame that "secure website is insecure". The reason the website is "insecure" is because you have decided to betray yourself and reveal your personal credentials to some unknown form you have no idea if it's secure or not.

Creating a second secure internet would be very expensive on anyone's resource without a doubt. The main problem is human errors and issues which computers could not replace and a computer solution is intended to solve fundamental human problems (e.g. willingly accessing insecure webpages) which the computer have no final say over it.

The main solution for Government networks and computers is to really really test and ensure the worst cases could be handled, segregated roles and trust levels using Mandatory Access Control in a very well designed way whereby a breach in a particular level would not affect everyone. Frequent planned live penetration testing (including surprise checks) should be taken into serious consideration and carried out.

Contractors to National Defense and Security related should be accessed thoroughly and to be tested frequently to ensure meeting of agreed National Standards and ensure those contractors know what they are talking about and could meet the agreements and contracts they have agreed upon to deliver or punishments to be handed out to them according to the Law and contracts they have signed.

The total removal of rights to have privacy would meant that operators of the secure domains are equally susceptible to such terms and users could turn around and want to proof the operator of the domains. 

Many of the cyber crimes are committed because users simply trusts all websites and the huge problem is with server side security. You can have a secure HTTPS or SSH connection but your servers cannot proof themselves and have weak or no security at all. RSA's hack is a very good example of an insecure database where attackers could waltz in and claim what they want. HBGary's hack is another classic example of an insecure mail server. The major problems are with the server side, not the client side. The client side have always been subjected to scrutiny by IDS, IPS, Firewalls ...etc... it is time for the server to prove themselves as well. Most users would not really notice "" and "". The "l" was replaced by a "1". It looks the same but the ASCII value is different and thus, the traffic would go to a probably malicious domain.

Everyone needs privacy and it's a basic need of everyone. If these basic needs are not meant, the walled garden of a secure domain would have little visitors and more insecurity as more people prefer to go by the "insecure" route if they could avoid being searched electronically. This would spike up the number of cyber attacks on users and the resources spent on building those walled garden with the intend to provide safe haven would not be used and thus a waste of resource.

The Internet was not designed with security in mind during the beginning phases and it's a fact we must live with. It is better to have our own freedom then to be submitted to some absurd electronic pat down or checkpoints and to surrender all our freedom.

Whoever proposed this idea had the same absurd Security Theater implemented on the US checkpoints and US Defense and Security. Security Theater WILL NOT WORK unless properly implemented.

Oh ... did I forget to mention the TSA officer who stole electronic gadgets from passengers ? How can anyone trust the officials these days when they are not upright themselves ?

No comments: