There's no defence. Not for us mooncalves. Not even for US defence contractors, who should know all about cybersecurity but who nevertheless managed to lose, among other things, the designs for the F-22 and F-35 fighter jets.
"Every day, all around the world, thousands of IT systems are compromised", says Iain Lobhan, the Director of GCHQ. He should know.
The upshot is clear – there is no such thing as a secure website. Secure websites are like unicorns. They don't exist.
When the Department for Business Innovation and Skills, for example, talk about work on their midata initiative and tell us that "this work is still in development by the midata programme participants, but broadly the proposal is that to gain access to their Personal Data Inventory, the customer would have to log-in to a secure website where ..." they might as well advise us to log in to a unicorn.
The suppliers whose business depends on selling us secure websites know this. How are they going to convince us to carry on paying for unicorns?
They've got a tough job.
One approach is to stop talking about mere secure websites and to offer instead super secure websites, as we saw the other day: "Mydex is providing the super secure Personal Data Store (PDS) for identity verification that will ...".
Superunicorns?
That's a bit weak. Either these resources are secure or they're not. It's like being pregnant – indistinguishable from being superpregnant.
But having embarked on that course, there's only one way to go: "The Mydex Trust Framework is a set of legal and technical rules by which members of a network agree to operate in order to achieve trust online. At its core it delivers a trusted digital identity, a hyper secure personal data store and platform from which individuals can connect to each other and organisations for the bi-directional exchange of information in a secure and verified manner".
Hyperunicorns?
What next?
No unicorns, no trust
Judging by that last example, what's next is a thoroughgoing mangling of the concept of trust. Unless you believe in unicorns, when someone offers you a trust framework or a supertrust framework or a hypertrust superframework, be warned. Be superwarned. Be hyperwarned.
----------
Updated 11.4.14
The day before yesterday Murad Ahmed warned us in the Times:
How important is that?
Bug puts internet passwords at risk
... Security researchers said they have discovered the “heartbleed bug”, which is a problem in the way the majority of websites encrypt their sensitive data. About 60 per cent of websites use the affected software, known as OpenSSL – a way of protecting information such as names, passwords, messages and financial information as it passes between computers ...
In a crowded field of experts, readers are recommended to believe Bruce Schneier when he says: "On the scale of 1 to 10, this is an 11":
To reiterate. If someone promises you a secure website, remember, whether they know it or not, it's really not in their gift, it doesn't exist, it's a unicorn, be hyperwarned.
Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.
Half a million sites are vulnerable, including my own. Test your vulnerability here.
Updated 19.11.14
The CloudStore has been re-written for the second or third time and re-named the Digital Marketplace. No surprise to DMossEsq's millions of readers.
The Government Digital Service (GDS) have written about it on their blog, please see Digital Marketplace: building a digital by default service. They have nothing to say about digital marketplaces.
They just bang on about their digital by default service standard.
That's the standard they were following, presumably, which meant that we now apply to register to vote in the UK using a system which has to work without GDS's identity assurance (IDA).
Not ideal but perhaps just as well since the first public service which incorporates a public test version of IDA seems to be unusable, despite satisfying all 26 criteria of the digital by default service standard. Bad luck DEFRA.
And good luck to all those G-Cloud suppliers who will rely on the Digital Marketplace and to the central and local government departments who try to buy services from them – just look at the logo GDS have chosen.
Updated 23.2.15
Some people never learn.
The media have stories every day about internet security breaches. The latest story that has burrowed through DMossEsq's thick skull concerns the US State Department.
Blomberg report that the State Department's email service was infiltrated several months ago and that, despite the most expert efforts, it remains infiltrated.
If the State Department can't deliver security there is no reason to believe that the UK's chirpy little Government Digital Service can. And yet, refusing to learn, these dinosaurs continue to offer the unicorn of internet security.
If you are tempted to sign up for their GOV.UK Verify identity assurance service (RIP), the first thing GDS tell you is that that it's secure. Who is there left on the planet who might believe that?
Far from helping to prevent identity theft, GOV.UK Verify is more likely to promote it by centralising the entire population's personal information in the databases of just a few "identity providers".
Not only do GDS want to centralise all personal information, they also want you to give up the relative safety of multiple logon IDs and passwords and replace it with a single key to your kingdom.
If against all the odds you pursue this wild goose chase and choose Digidentity as your GDS-sponsored "identity provider", they go even further:
This is the sales pitch of an unreconstructed mountebank. It might have worked in the 20th century. It can't work in the 21st.
No comments:
Post a Comment