Security and privacy will always be an imperfect balancing act: The Alphr view
We had always planned to focus on security and privacy in April, but recent events have certainly reminded us why it’s necessary. In March’s terror attack in London, you see two sides of the same coin: the real and serious threats we face in the 21st century, and the technological illiteracy of those looking to prevent them.
Ignoring the dubious question of whether reduced security would have prevented this attack (current theories suggest that the man acted alone), there’s a maddening lack of comprehension of a simple fact: there is no such thing as a security backdoor that only lets good guys through. It’s a binary choice: either messaging apps are encrypted, or they’re not. To suggest otherwise betrays either an ignorance to technology or a crude attempt at a state power grab.
There’s another layer of irony here: in a world where internet-security breaches are a monthly occurrence, WhatsApp’s encryption shows a rare degree of forward-thinking that most of us don’t consider as we carelessly sign up to dozens of websites each year. With more and more data online, from bank details to fitness data, the damage that can be done by hackers becomes increasingly unnerving.Via Statista.
This month, we’ll be taking a look at the issues surrounding security and privacy, but as a starting point, here’s a series of thoughts from Alphr’s writers.
Ian Betteridge: Security, not security theatre
The biggest security threat in your organisation is sitting down, reading this: it’s you. Not that you’re going to hack your own company, or sell secrets to competitors, but simply in terms of the potential to believe that you’ve done enough about it.
Let’s be clear: you can never do enough about the security of your technology. It’s something that you constantly need to be aware of and you should always evaluate how much more you can you do.
But the biggest challenge actually comes from something I call “security theatre”: being seen to do things, without actually considering how effective they are. Simply switching to a cloud-based email service that offers two-factor authentication won’t make your business secure, but it is something people can point to and say “we’ve done things”. No system is secure unless you build a culture of security around it.
This is month is all about real security, rather than security theatre.
Alan Martin: A real problem most people don’t consider until it’s too late
Good news and bad news. The good news is that you’re less likely to have your home broken into than you were a decade ago. The bad news is that the personal touch of the old-school burglar has been replaced by something that’s actually far worse, even if you feel less violated in the short term.
It’s not like we haven’t been warned. Cybersecurity experts have been screaming at how useless we are with passwords and online activity for years, but it’s a hard topic to make interesting. Only a handful of people reads locksmith magazines offline, so why would we expect cybersecurity to be any less niche? We only really take an interest in security when it’s too late, and a lifetime’s worth of personal data is up for sale on the dark web to the highest bidder… probably for an insultingly low figure you’d rather not know.
Like most people, my online security was awful, because life seemed just seemed too short. When Yahoo was hacked yet again, I took steps to address the problem, and shut down the account. But going through 12 years’ worth of emails, I found just how many breadcrumbs I’d left dotted around the internet. Dozens of sites that I’d signed up to, made a single order from and then forgotten about.
I use a password manager now, but perhaps the most worrying thing about my old system – which without giving the game away, was only marginally better than reusing the same password everywhere – was that it was still better than most, and was enough to keep me safe throughout my 20s.
It’s probably time you made yourself harder to hack than the person next to you. But remember that if someone is really determined to hack into you, they’ll likely find a way. Pray that you’re not interesting enough to bother with.
Jane McCallion: Security’s still a mystery to most people, and that’s a problem
There’s a problem for those of us in the information security world – we love talking to each other, but are really bad at telling others what they should and shouldn’t worry about.
We sit around and talk about malicious actors and APTs and RATs and whaling and phishing and so on and so on. We all know what we’re talking about, but for anyone on the outside it’s baffling. Attempts to make the area more accessible by using codenames for hacking groups and malware haven’t really helped either – in fact, I suspect it may have made things worse.
Even I’m guilty of it, and I spend much of my working life writing and talking about security, but there’s a fairly safe assumption that, on Alphr’s sister site IT Pro, when I’m writing about the nuts and bolts of a vulnerability, patch, attack or product, the reader is already somewhat knowledgeable.
This disconnection between the security community and the general public makes itself manifest in so many ways. Hackers in stock photos are still faceless, black-hoodie-wearing young men at best, or someone in a balaclava at worst. If there’s any concept of a “hacker army”, they probably look more like a member of the Russian or Chinese intelligence agencies than a Western one.
There are very basic problems, too. Password security is still far from a priority – ease of use and memorability are top of mind, rather than ensuring high entropy, while router and device defaults are rarely changed – indeed, sometimes they can’t be changed. There are solutions out there that some younger people use (like Alan), but trying to get the older generation – those who were PC and office computer pioneers but are now entering retirement – to use tools such as password managers is an uphill struggle. The long-held wisdom that an easy-to-remember password that you don’t write down or share is best holds more weight with them and others than “here, use this tool that will generate a random string of characters you will never remember and store them online”. It’s counterintuitive.
As more and more devices get connected to the internet (I refuse to talk about “smart” toasters etc – they don’t have anywhere near the processing power for that), we will see more attacks powered by the likes of Mirai. The likelihood of this being apocalyptic, as some have predicted in the past, is low: you’re not going to make any real geopolitical impact through spontaneous toaster combustion. But sustained DDoS campaigns carried out by huge botnets made up of poorly protected “smart” devices? That could be a game changer, depending on who they target.
Either way, I don’t think I’ll be running out of things to write about any time soon.
Thomas McMullan: It’s a difficult subject to grip
Conceptualising digital security isn’t easy. Think about physical security and you may have a relatively good grip on locks, shutters, doorways, boxing gloves, drawbridges, moats, and so on. Think about online security and, unless you’re well versed in a whole lot of black-hat lingo, you’re left grasping at half-understood terms for invisible processes.
Then there’s the other side of the coin: privacy. Post-Snowden, citizens were up in arms about unfettered government snooping, but how has this translated into legislation? As of late, not brilliantly. The Snoopers’ Charter passed into law in the UK last year, and this year there are serious moves to undermine consumer privacy in the US. Underpinning all of this is a feeling that – as much as people say they care about privacy – pushing for action is another matter, once again connected to the difficulty in gripping what the limits and expectations of digital privacy actually are.
It’s a subject that’s not going away, and the hope is that digital security does become something that’s more widely understood. With the advent of connected devices across our homes and cities, the amount of information about private citizens is about to skyrocket. Will we detach ourselves further from our data (putting faith in the cloud)? Or will we react differently to the security and privacy questions surrounding sensors in our homes than to our WhatsApp messages?