Friday 8 December 2017

Data Security: Just Read The Instructions

Basic internet security isn't that hard, but people who should know better still contrive to foul it up.

Image: Blue Devil Hub / Creative Commons

I'm a professional software developer with some grounding in the mathematics of cryptography, but not an Internet security expert. In this context, I don't need to be. I know wretched carelessness when I see it.

The famous case from this week is the Cabinet minister Damian Green. A former detective with the Metropolitan Police claims to have found thousands of pornographic images on the computer in Green's parliamentary office:

In his first broadcast interview about the investigation, Lewis was asked by the BBC how he could be sure it was Green, now the first secretary of state and effectively May’s deputy, who accessed the images. He said: “The computer was in Mr Green’s office, on his desk, logged in, his account, his name.

Green's fellow Conservative MP Nadine Dorries stepped forward to try and defend him:

With friends like these, Green has little need of enemies.

There are two explanations for the images on Green's computer. Either he put them there, or someone else did. The latter case could have been an ingenious Hollywood-style hacker, but Dorries' scenario of an intern allowed to share Green's login is a lot more plausible.

Either way, it's a flagrant violation of Parliament's IT policy. In any large organisation, downloading pornography or sharing your login is a serious offence and would provide grounds for dismissal. These rules exist for good reasons. Breaking them is not only wrong, but incredibly unnecessary.

You want to look at porn? Fine, download it at home. Your intern needs access to data? Fine, set up the intern's own account to allow it.

This is basic, basic online security, and there's absolutely no excuse for being unaware of it. There may, however, be an explanation.

(Regular readers of this blog will be aware I'm no friend of the Tories. One way or another, Green was being a goddamned idiot. But I'm interested in the wider context of his idiocy.)

By way of illustration, this week I was trying to book a hotel in a remote part of the Scottish Highlands. I stayed there before, more than a decade ago, and had a very nice time.

When I inquired about availability, they invited me to send them credit card details in an unsecured email.

Even here, online fraud should be a concern.
Image source: Wikimedia Commons

Again, this is kindergarten-level security. Emails are not private. You do not put sensitive information in them. Not ever.

Clearly someone, at some point, had told the hotel this was a bad idea. So they suggested I put the "long number, expiry date and code in 3 separate emails / secure attachments".

This does not make the information secure. Not all attachments are secure. With public-key encryption they might be, but since the hotel didn't provide any encryption key, I am confident in my belief they would not know a secure attachment if it stood on a chair and performed a medley of Broadway musical hits.

I mean no disrespect to the quality of the hotel. I had a very pleasant stay there in 2005, and no reason to believe it has declined. I'm sure its owners and staff work hard and are very competent at what they do. But when it comes to IT security, it is plain they are dangerously ignorant. As a consequence, they are inviting their customers to expose themselves to online fraud.

This situation is likely to be commonplace in small businesses across the world. Running a hotel is a challenge, and it's easy to convince yourself IT security isn't all that important. When large organisations like the NHS are not bothering to use secure operating systems, it's hardly surprising that small businesses are just as careless.

While Parliament is a large organisation, individual MPs operate more like small businesses. They answer to their constituency voters as well as the national party. When it comes to staffing their private offices, they have sole authority to hire and fire. It's a remnant of amateurism in British politics, and in general it has its good points; in the specific area of IT security, not so much.

What's needed here is a change of culture. I'm enough of an optimist to hope it might take hold, as a younger and more savvy generation reaches positions of leadership.

Online security is not optional, and being a small business is not an excuse. To put it in terms Tory MPs might understand: Your barrister or accountant might very well be a small business. If important documents go missing, and the lawyer shrugs and says the intern had the combination to the safe, I suspect you would not be inclined to forgiveness. Carelessness with online security is no different.

No comments:

Post a Comment