Thursday, 18 June 2015

Security Is a Process

I do not disguise the fact I have been trying to migrate the people I am in regular contact with into using the Signal messaging app (or, as it known under Android, TextSecure). I will also add I've been pretty successful. The reasons why I consider Signal the best communication method after face to face have been elaborated here; suffice to say it is its security that puts it above the rest.
More often than not, the reaction I receive upon asking/begging my friends to install Signal is that of lazy rejection. "You already asked me to use Telegram" or "You already asked me to use PGP emails" are both reactions I have heard several times.
What these people don't seem to want to get is that keeping things secure is not a one off affair. Security is a process. It's ongoing. One has to step up with the times. One needs to identify the things they would like to keep secure (in my case, private discussions), identify threats to those things, identify the vulnerabilities that may apply, identify risks (essentially, where threat meets vulnerability), come up with mitigation strategies, and - and that's the catch - repeat the whole process again and again because the world does not keep still. That's risk management in a nutshell for you.
Not only do most people fail to get that, their basic disposition is to mock me over my passion for privacy/security. Because, as you know, they make sure that their private information is headline news. Or, sarcasm aside, because they live a life of blissful ignorance when it comes to online threats.


The problem is, online threats just keep on getting bigger and bigger.
Today we have learned of a huge security problem affecting passwords in Apple systems, specifically on OS X (that's Macs for you) and iOS (that's iPads and iPhones). The crux of the matter is that there is a way to steal passwords from secure lockers on these systems, either Apple's secure keychain or a very popular password manager in the Apple ecosystem, 1Password. Personally, since I rely on 1Password (and have warmly recommended it), this is a big deal for me.
I was therefore very interested to read the analysis published by 1Password's own publishers, AgileBits, on their blog here.
Reading the linked material, it is clear Apple has some severe issues with its sandboxing (that is, the facilities its systems utilise in order to prevent one application from stealing another's information). I find it very interesting to note that, contrary to common belief and past evidence, the researchers that identified this new Apple vulnerability consider Android's sandboxing facilities superior to iOS'.
Since Tim Cook himself has been selling Apple lately on account of its security and privacy credentials, this is a big deal with potentially big financial ramifications.

Let us go back again to the original point of this post, the point about security being a process.
This latest Apple zero day vulnerability (it's called "zero day" because there is no fix for it) demonstrates that fact. It's not like we can avoid storing passwords on our computers anymore; at the very basic levels, our browsers need to be able to allow us to enter a password so that we can, say, login to our web mail. The only thing that we can do, other than throw the whole of Apple's gadgets away, is to learn and adapt our ways. As it is, there are things we can do to mitigate the risks: we can avoid installing dodgy stuff on our Macs. We can also be careful with the add ons we install on our browsers. If we do these things then our browsing is still pretty safe and 1Password is still the great and extremely useful tool I consider it to be.
The point is, the problem is more or less solved even without Apple patching its territory simply by us adapting to mitigate the risk.

image by David Gohring, Creative Commons (CC BY 2.0) licence


Megan O'Brien said...

Hi David,

Hi I’m Megan and I work for AgileBits, makers of 1Password.

I just wanted to take a moment to thank you for writing this article. Being an informed citizen of the internet is so important these days, and it's great to see you helping out by sharing your thoughts.

Keep being awesome!

Moshe Reuveni said...

Thank you for the kind words, Barbara, I'm sure there's a David out there that appreciates them :-)
[Don't worry about my silly joke, I'm sure you had a hard day at the office yesterday]