Security Summed Up: Gullible Users Need Protection
Hackers embarrass the companies they exploit but the victims who need better protection are their customers, says Eric Doyle
Why does Facebook not get the security thing? Why is every “improvement” introduced quietly and often without fanfare? It’s because we are all mugs and Facebook knows how to play the game to its own advantage.
Most people don’t grasp what security is about and are being forced by government policies and lured by retailers into an Internet environment they cannot yet comprehend. The hackers play us all for innocents abroad, there to be taken advantage of. The problem is that “us all” also embraces far too many companies that should be guarding our interests instead of their own.
Security Is A Mug’s Game
In a benign way, Facebook uses the same fallibility in human nature that the hackers prey on maliciously: the majority of us don’t really understand the World Wide Web and its mesh of interlinked security threats.
Every few months on Facebook, messages circulate from friend to friend to warn about some new security setting that is open and should be set for privacy. The latest being the facial recognition feature that will find your physog in other people’s photos and offer to tag you in.
When the feature was quietly introduced it was set to “enabled” and, for many people, it will stay that way. Not because they want to be tagged but because they simply don’t understand security and wouldn’t have the faintest idea where to go to disable the feature.
Of course, the reason why Facebook enables features by default is simply because of this. Many people don’t set their privacy settings and that’s good for revenue streams from advertisers who can legally access the information of their new-found “likers”.
Too much is assumed about security these days. A good example is the recent hack of Codemasters games software Website. Responsibly, but late, the company notified all users affected by email that they should change their passwords.
“For your security, in the first instance we advise you to change any passwords you have associated with other Codemasters accounts,” the email said. “If you use the same login information for other sites, you should change that information, too. Furthermore, be extra cautious of potential scams, via email, phone, or post that ask you for personal or sensitive information.”
The company also closed its main Website and redirected traffic to its Facebook page where there is a forum. Reading through some of the Topics, such as Codemasters.com Attacked? Is this True?, is enlightening, frightening and comforting all at the same time.
Dazed And Confused
Some users are bemused, some suspicious, several very angry but there is that reassuring few who try to explain what is going on to placate the others.
“Come on Codemasters – give us a clue.. is this for real?” asks one user.
“You mention that passwords were “encrypted”. Were they encrypted or hashed? Was a custom algorithm used? Were they salted? What was the digest size? I want to know how likely the possibility is that passwords could be brute forced,” demands another.
“Every time I try to get to the Codemasters Website it redirects me to their Facebook page so how can we get in to change our passwords and that when we can’t get on to change them,” asks a bemused customer.
The range of responses is wide and show that security is understood by a few, tolerated by others and a complete mystery to others.
It is this latter group that should be protected. The European Union, UK government and US government are all trying to set up the rules of engagement when it comes to security breaches. That the users/customers should take precedence is of prime importance.
A few of the Codemaster victims claim to have had Hotmail accounts hacked, credit cards compromised and other security incidents – this could be paranoia, could be coincidence, could be people looking for handsome compensation deals, or it may just be true.
All At Sea
Codemasters, Sony and Gawker are just three companies that could have done better when handling their hacks. It is clear that we not only need legislation to force disclosure of online security breaches but we also need a code of practice on how to deal with an incident.
It’s not the individual company’s problem, they are as lost at sea as the rest of us – trying to make sense of a world with few written rules.
Sony has become a serial “hackee” and doesn’t seem to know how to turn the data taps off across its sprawling empire. Codemasters is a relatively small company but this is its second hack in a month.
Most security professionals will be interested to learn that the first hack was an attack on the administrative systems and may well have had some success: “This admin access may have allowed alterations to our company Website,” Codemasters said at the time.
With no other facts to go on, perhaps it’s worth speculating that an initial attempt was made to plant malware on the system and the subsequent review of “all of our Websites and systems” could easily have overlooked a modern piece of hackerware.
Codemasters should maybe have been a little more cautious. Systems monitoring would have perhaps stemmed the flow of data before it became an embarrassing flood.