As most of the transactions nowadays take place online and most work requires access of some kind to information online, information security is becoming every more important in our daily lives. Yet, there is always a gap between principles and reality and sometimes we are knowingly giving up security for either convenience or, well lack of choice. Here, I will give a few examples of the things I observed over the years.
- "Can you fill out that form and email it to me?"
This is the most common form of security breach that I have seen many times over the years and unfortunately it still happens and sometimes we simply do not have a choice.
I remembered that one of my former employers requested me to fill out a form which has my SSN and other sensitive information in it. They insisted that I fill it out and email it to them. I had to be on the phone with them and explain why I would not want to do that. Eventually they understood my concerns and I went into their office and filled out the forms.
Sometimes however you will find yourself not so lucky. There was one time that I was asking someone to fax something to me, but instead of doing a real fax, the person scanned the documents I requested and emailed to my home account. Well, there is a lot of sensitive information on the documents sent to me and we all know that SMTP is inherently non-secure.
And the list goes on.
- HTTP and HTTPS
It is almost impossible nowadays to get something done without putting your personal information in some sort of online forms.
Most of us are trained to check whether a page is secure or not (that is whether the page uses https) while doing online shopping and especially during the checkout stage. But unfortunately very few people understand the deeper meanings of all these protocols.
I have seen numerous websites that uses a non-secure page for user names and then upon entering such information, the non-secure pages posts to a secure page for further processing. The rational there was to improve site performance as https takes significant performance hit due to encryption. In fact, this practice is still widely used. So, is it secure? Well, most of the people (including one of the architects I worked with before) would assure you that this clever solution is secure. But unfortunately it is not. A man-in-between attack can be achieved as follows: the attacker intercepts the non-secure posts and redirect the user to an https site of his own, mimicking the real site and bingo, he can now see what the actual user passwords are now.
A poorly architected secure site sometimes has information retrieved via both http and https and makes the secure content on https site vulnerable.
But we really do not have the luxury of not to proceed in real life sometimes. Some of the very large financial institutions still use the technique mentioned here and sometimes the information we need is available only on their website.
Another example is checking work email at home without using VPN. Many work places use web based outlook so that employees can check their email at home without having to connect to the corporate network.
Office 2003 does have the ability to perform encrypted RPC over http so it is presumably OK for employees to check their email using non secure connection to a properly configured web server that is hosting Outlook 2003. HTTPS is still the preferred method, nevertheless. But a company I worked with before was using Office 2000 and the connection was over standard HTTP. And in such a scenario, employees really do not have a choice but to hope that the security measure would one day be tightened.
Another widely spread security problem is serving documents directly over HTTPS. Even though the sites require you to log in securely to view your documents, anyone who knows the url to your document can also view it if the document is served directly and thus post the risk of access rights violation. This is indeed very worrisome. Over the past few years, I have seen institutions put customer records in some sort of documents (e.g. word) and put on their website protected by password and allow only selected business partners to view. But the problem is, these documents can be served directly over the internet bypassing any security measurement if the url is known. Again, unfortunately, we really do not have a choice sometime and could only hope that the location and the document name is secret enough that the attacker would not find out easily.
The only correct way to address this issue is to MIME encode the document and post it to the browser instead of serving it as a raw document. When MIME posted, the web application get a chance to check the permissions of the requestor before the content of the document is served.
- Password policies
Most of the companies require strong password names and require employees to change their passwords on a monthly basis. This sounds like a very good security measure but unfortunately resulted in passwords written on post-it or stored on computers in plain text… The problem is that strong password is hard to come by and even harder to remember. And requiring changing it often only adds insult to injury.
What I would propose is that companies requiring employees to use very strong passwords (e.g. more then 10 characters) instead and only expire them when the passwords are believed to be compromised.
- Snail mail is just as bad
Besides the obvious like printing SSN on the envelop, snail mail is not all that secure as well. And we all know what ramification a lost piece of mail might have….