The cloud is a powder keg

This post is about computer security.  Before your eyes glaze over, let me say that – without using any security jargon – I’m going to try to convince you there is a significant security issue on the horizon that will affect every almost every business that stores valuable data on computers.

Willie Sutton was a bank robber who, when asked “Why do you rob banks?” replied “because that’s where the money is.”  This quote is famous enough that some people call it Sutton’s law.  On the internet, Sutton’s law means the bad guys will try to hack where the valuable data is stored.

One of the major trends in the technology world is “cloud computing” or a related concept “Software-as-a-Service (Saas)”.  The idea is instead of installing software within your company’s own network it is hosted by a service provider and you access it via a web browser.   SaaS applications are popular because they are much easier to use, install, maintain, and access.  The most prominent examples are probably Salesforce and Google Apps.  But the SaaS revolution is happening to almost every corporate application – HR, accounting, project management, bug tracking, and so on.

As a result, there is a giant migration of data going on.  We are moving from a world where everyone kept valuable data within their network to a world where all of their data is in SaaS providers’ databases.

Sutton’s 2nd law is that where there is lots of money, bad guys find a way to get to it (ok I made up the name for this law – but it should have a name).  When kings had piles of gold in their castles, people found a way across the moats and through the gates.   The same is true of people robbing banks, and the same will be true of SaaS providers’ databases.  It could be an inside job, someone leaving a “door” open, or just clever hacking – but you can rest assured if with a giant pile of gold sitting there, the bad guys will get it (in fact it’s already started).

We have gone from a world where everyone hid money under their mattress and protected it with an alarm system and shotgun to a world where all the money is in just a few places, run by people who have no particular expertise providing security, who for the most part deny there is any risk.   SaaS providers like Salesforce just dismiss the security risk, saying, in essence, that they have alarms and shotguns too.

It’s a powder keg waiting to explode.

Disclosure:  I invested in a stealth mode security company that addresses this problem.  Perhaps that makes me biased.  I prefer to think of it as evidence that I believe what I’m writing here.

password hints, security questions etc are a bad idea, reason #723

As I’ve said before, security questions, password hints etc are a really bad idea.

Today, I was on gap.com and forgot my password.  When you put in an email on their login page and click “I forgot my password” they show you your password hint.  You can put in any email address and find out their password hint this way.  This is a great way for hackers to figure out your password.  (How many people just use the password itself as their hint?  I bet a lot).

When I saw my own hint I put in a long time ago, I had to chuckle at my obnoxious former self :

picture-2

NYTimes gets computer security wrong again

I love the NYTimes and read it every day.

But almost every computer security related article I read in it is just dead wrong. As someone who started and succesfully sold a computer security company (SiteAdvisor to McAfee) I feel like this is one area I know something about. (scary thought: does the NYTimes just happen to be wrong about my area of expertise or are they wrong about a lot more and this is the only area where I’m able to detect it?).

Today’s poorly researched and flat-out wrong security article claims Macs Aren’t Safer, Just a Smaller Target. The sole piece of evidence comes from a study by Symantec, a company that sells Mac anti-virus software. When your only source has a significant business interest in “results” of the study, shouldn’t the “newspaper of record” get a second opinion? For example, maybe talk to an operating systems expert, most if not all of whom will tell you Mac’s Unix-based OS is just a vastly better architecture from a security perspective.

Moreover, as comments on the article point out, Mac’s market share is big enough now (~10%) that it certainly seems like a reasonable target. In fact with all the talk of how Mac’s don’t get viruses, if I were a virus writer today looking to make my name, I’d imagine targeting the Mac would be a far more interesting way to go.

I literally can’t remember the last time I met a techie in CA or NYC who used a PC. At this point using a Mac versus PC in the tech world has become an IQ test, not a preference.

sunbelt blog

Alex Eckelberry has for years been one of the best bloggers on internet security. Personally I can say that I learned a lot about internet security by reading his blog (in addition to, among others, Ben Edelman’s). Today he posted about Yahoo’s announcement that they would use SiteAdvisor to help block certain sites from Yahoo’s search results. I have been reading Alex’s blog for years and get the sense that beyond his business interests he truly cares about protecting ordinary internet users from spyware, phishing, spam etc.

Bad trend of the week: security questions

I’ve noticed more and more websites ask you to enter answers to security questions like “what is your mother’s maiden name” or “where were you born”. This is a very bad trend. Here’s why:

1. Answers to security questions are far more easily guessed than passwords. e.g. Just guess the biggest US cities for “where were you born?”

2. Security questions are far more easily figured out by clever hackers. See e.g. “Messin’ with Texas, Deriving Mother’s Maiden Names Using Public Records.” V. Griffith and M. Jakobsson. ACNS ‘05, 2005 and CryptoBytes Winter ‘07. link to pdf
3. Every time you answer a question like “What city you were born?”, you spread that important piece of information more widely, thereby increasing the chance that a rogue employee or a data breach exposes valuable information about you. This is particularly bad when the same security questions are shared by sites with no real need for security (e.g. a casual game site) and sites with a strong need for security (e.g. your bank).

My advice next time you are asked for an answer to a security question is not to answer truthfully but instead use a “strong” password (”strong” means, roughly, 8 or more letters (with mixed case), numbers and perhaps if allowed symbols). So when they ask you what “City were you born?” answer “5ght11YT” or something, effectively turning their security question into a conventional password. And then I’d write that password down on a piece of paper (not on your computer).

Update:  David Weinberger has some other reasons security questions are dumb.