risk management Software

Unlikely but just about plausible

I’ve been recently been working with the Centre for Risk Studies in Cambridge on some extreme scenarios: one-in-200, or even less likely events. It’s been an interesting challenge, not least because it’s very difficult to make things extreme enough. We find ourselves saying that the step in the scenario that we’re working would never actually happen, because not everything would go wrong in the right way. But of course that’s just the point: we’re looking at swiss cheese situations.

A couple of times we’ve dreamt up something that we thought was really unlikely, only for something remarkably similar to turn up in the news. We came up with the idea that data could be irretrievably corrupted, and a few days later found ourselves reading about a Xerox copier that irretrievably corrupted the images.

So I was really interested to read a story about a security researcher who’s apparently found a really nasty piece of malware — except it’s not clear if he’s making the whole thing up.

People following this story fall into a few different camps. Many believe everything he says — or at least most of it — is true. Others think he’s perpetrating a huge social engineering experiment, to see what he can get the world and the media to swallow. A third camp believes he’s well-intentioned, but misguided due to security paranoia nurtured through the years.

The thing is, the individual pieces of the scenario are all just about possible. But is it possible for them all to happen in a connected way? For the holes in the swiss cheese to line up?

The absolutely amazing thing about this story is that nearly everything Ruiu reveals is possible, even the more unbelievable details. Ruiu has also been willing to share what forensic evidence he has with the public (you can download some of the data yourself) and specialized computer security experts.

Where developments start getting preposterous, no matter how much leeway you give him, is how many of the claims are unbelievable (not one, not two, but all of them) and why much of the purported evidence is supposedly modified by the bad guys after he releases it, thus eliminating the evidence. The bad guys (whoever they are) are not only master malware creators, but they can reach into Ruiu’s public websites and remove evidence within images after he has posted it. Or the evidence erases itself as he’s copying it for further distribution.

Again, this would normally be the final straw of disbelief, but if the malware is as devious as described and does exist, who’s to say the bad guys don’t have complete control of everything he’s posting? If you accept all that Ruiu is saying, there’s nothing to prove it hasn’t happened.

I don’t know. I haven’t looked into the details at all, and probably wouldn’t understand them even if I did. But there’s certainly a lesson here for those of us developing unlikely scenarios: it’s difficult to make things up that are more unlikely than things that actually happen.

risk management

Low tech risks

High tech risks are out there, and are potentially serious, but low tech risks don’t go away, and may be just as serious.

For example, we learned recently that Edward Snowden managed to get hold of peoples’ user ids and passwords, giving him unauthorised access to some of the classified information that he then leaked.

I’ve worked in several organisations where it was standard practice for sysadmins to ask me for my password when they needed to fix a problem on my machine. I would always complain, but there was little I could about it: especially as in one case, you weren’t allowed to change your password twice within (say) three days. And there are any number of websites that first insist that you register with them in order to make full use of the site, then confirm your password by email after you’ve registered and, sometimes, whenever you change it. They are getting to be less common, but they still exist.

And then you get the problem of your bank ringing you up out of the blue, and asking you to confirm your identity. No, sorry, I don’t give out personal information over the phone to unknown callers.

It’s difficult enough to keep track of passwords without reusing them. I have a reasonably simple scheme, based on a standard stem with additions based on the site address, but some organisations insist on a rather longer password than I usually use, or require some special characters, or forbid the use of others. It’s especially annoying that the most fussy sites seem to be ones that aren’t particularly sensitive, in that they don’t have any personal information.

So I can’t rely just on my memory and use LastPass to record passwords, memorable phrases, dates, and answers to all those security questions that don’t actually have obvious answers.

In general, it seems to me that there are still too many organisations that don’t follow good practice, and require risky behaviour from users. Things don’t seem to change much: I’ve written about this before.

risk management Uncategorized

The big guys don’t always know what they’re doing

You’d think that a really big software company, like Adobe, would know what it’s doing But no. You may have noticed that there was a big data breach: millions of usernames and (encrypted) passwords were stolen. But they were encrypted, so no big deal, right?

Ah. Well. That’s the point. As this article explains, it was indeed the encrypted passwords that were stolen, not the hashes (if this is gobbledygook to you, the article has a very clear explanation of what this means). As the password hints were stolen too, it turns out to be really easy to decrypt many of them.

Now, I am by no means a security expert. And for websites I build nowadays, I use a ready-rolled solution (usually WordPress). But when I wrote things from scratch, even I knew better than to store the encrypted passwords. I may not have used the most secure hacking algorithm, or proper salting, but I didn’t encrypt the passwords.

(HT Bruce Shneier)

risk management

Unintended consequences

Facebook bans at work are apparently linked to increased security breaches. It seems that strict policies on social networking sites are “actually forcing users to access non-trusted sites and use tech devices that are not monitored or controlled by the company security program.” People are very adaptable, and often very determined. If you stop them doing something one way, they’ll find another. Computer security is really difficult, as it’s by no means a matter only of technology: human nature is a major factor, and often more easily predicted with the benefit of hindsight.

For instance, Bruce Schneier points out that if something’s protected with heavy security, it’s obviously worth stealing. It’s the converse of Poe’s The Purloined Letter, in which the best hiding place is in full view. Does this apply to computer systems?

Interesting Uncategorized

Interesting links

Some things I’ve found interesting:

  1. Have you seen those Google ads on the tube? The example they give of a strong password isn’t so strong after all. It’s always worth checking the statistics.
  2. The important field – as usual with xkcd, make sure you read the alt-text
  3. Language is not writing, and some myths that arise from the mis-identification
  4. Sometimes, animations are the best way of showing data. This is a great one on global warming.
  5. Don’t believe everything you read on Wikipedia – and remember the alt-text!