SamWhited|blog

Security on the internet

These days computer security is a hot topic. Companies tell us how hard they work to ensure their users safety, and the media throws around buzz words like “military grade encryption” constantly. And yet, despite all of this hype and the general trend of wider public awareness, many of the largest companies still don’t understand basic security principles. Social media companies such as Facebook and Twitter have taken steps to allow encrypted connections to their services via SSL/TLS (Or “Secure Socket Layer,” and its successor, “Transport Layer Security,” the encryption protocols behind HTTPS), but they still don’t have them enabled by default for the majority of their users—meaning your password can easily be stolen by the guy sitting across the coffee shop from you on the same public Wi-Fi hotspot. A recent request for investigation [PDF] filed with the Federal Communications Commission (@FCC) exposed file-hosting company Dropbox for allowing its employees to access customers encrypted files, and even worse than all that is the recent string of attacks by the hacker group referring to itself as “LulzSec.” Victims of these attacks were exploited using relatively simple attack vectors and included high-profile companies such as PBS, Sony (NYSE: SNE), Sony again, and—allegedly—InfraGard, a non-profit partner of the FBI. Even security companies and defense contractors aren’t immune, with RSA, The Security Division of EMC Corporation (NYSE: EMC) recently announcing that a vulnerability in its SecurID two-factor authentication product had been exploited by unknown attackers to infiltrate Lockheed Martin (NYSE: LMT). If these big players can’t keep up, how’s a small business or individual supposed to ensure their data is secure? The answer, as it turns out, is “easily.” Below are a few easy steps you can take to make sure your data is secure.

Website security

One of the most basic ways you can protect yourself online is by visiting social media sites, email, etc. via SSL where supported and enabling any options to force SSL encryption. These options are available on all the major social-media / webmail sites including Facebook, Twitter, Gmail, and Hotmail.

If you own a website or other internet-based service that doesn’t implement SSL/TLS, enabling encryption is one of the best (and easiest) things you can do to secure your site and protect your visitors. This is as easy as purchasing and installing a certificate from a trusted Certificate Authority. I recommend RapidSSL (49.00 USD / year) or Network Solutions (39.99 USD / year). Unfortunately, SSL certificates do often cost good money, and this can be tough on individuals or small businesses. However, it is possible to secure your site using a free CA such as CAcert or StartSSL. The trade off is that these certificates are not trusted by as many browsers, so your users may see confusing warning messages when trying to visit your site over HTTPS unless they install your providers root certificate. Bear in mind that the strength of your SSL certificate is only as strong as the protection of your private key (the part of the certificate that is installed on the server). SSL only works as long as no one else has access to the private key which is used to encrypt communications, so if your private key is stolen—perhaps due to a server vulnerability, or an attacker gaining physical access to the machine—there’s no guarantee that the encrypted channel is actually private. If you’re not using an untrusted or self-signed certificate, you might also consider enabling the “Strict-Transport-Security” header which tells modern browsers that your site supports SSL and that they should use it whenever possible.

Another simple thing you can do to protect your website is to make sure your forms are not vulnerable to SQL injection (or, more generally, code injection). The recent PBS / Sony hacks were performed by a simple tool which automatically injected SQL code into a page using the login form. This sort of problem is one of the deadly sins of the web. It is absolutely inexcusable to be vulnerable to such simple attacks. If you’re interfacing with a database, either use existing libraries which are known to be secure, or use parameterized statements. Many websites think that because they sanitize their input, they’ll be okay. However, this approach is fairly naive, and won’t catch 100% of the tricks hackers use to bypass your security.

Even following these basic steps, it’s still (easily) possible that some little oversight may lead to a vulnerability and your site could be compromised. When this happens, what data could an attacker get? If the answer is “plaintext passwords,” you’re still doing it wrong. Lots of companies choose to store user passwords in plaintext, meaning that anyone who gets a dump of the password database can instantly login as any user and compromise other user-data (perhaps due to that cardinal sin, password-reuse). Have a little respect for your users and save their passwords as salted hashes.

Email security

Email security is another beast all together. As stated in the IETF’s RFC 1855:

“Unless you are using an encryption device (hardware or software), you should assume that mail on the Internet is not secure. Never put in a mail message anything you would not put on a postcard.”

Email encryption is an underutilized tool that should be used whenever possible. Most mail clients support either S/MIME or PGP/MIME, and even if they don’t, attachments and text can always be encrypted and/or signed (so that a recipient knows they came from you) with a free program such as GNUPG which implements the OpenPGP standard. Personally, I prefer PGP to S/MIME when signing and encrypting emails. For the system to really work, unfortunately, everyone needs to encrypt all of their email all of the time. This way an attacker can’t tell the difference between emails containing sensitive data, and those that contain pictures of your cats.

Other simple steps you can take to ensure your email is secure include implementing a two-factor authentication system. This approach is becoming more popular among the consumer sector, with Gmail recently implementing it for regular and Google Apps users. Two-factor authentication can take many forms. Gmail’s approach involves calling or texting the user’s cell phone and giving them a code which they must enter every time they log in (along with their username and password). Two-factor authentication can be used for much more than email, however. It’s common practice to require it when logging into websites, remote servers, and even for physical locks.

Conclusion

There are all sorts of ways to enhance your security online, and there are many more I’d love to cover here (such as using public-key authentication for SSH connections), time permitting. However, for now, enough—and then some—has been said. Online security is important to the modern internet, and even a basic knowledge of general good-security principles goes a long way towards protecting you and/or your customers. With that in mind, I encourage you to think about your own security, and work towards improving it in the future.

EDIT: After taking recent events into account, I’ve decided not to even entertain the argument that Lulz Security is a grey hat group. Their antics were always in rather bad taste, but now they’re just plain disgusting.

EDIT: And now there’s confirmation directly from Lulz Security that they are no more than petty cyber-crooks.