Convenience, the bane of security and privacy

This is about an issue which I believe is the ultimate cause of many if not all technology challenges we face today, particularly in the area of Security and Privacy, says Anton Hofland of 2024Sight, Inc.

The issue is that almost everyone exposed to technology either as user, service provider, manufacturer or developer, when faced with a choice between right and convenient, will chose the latter. And that is where the trouble starts. Below I have given a few examples of where it has lead us.

Data breaches as a result of buffer overflows

Data breaches, excluding those resulting from social engineering, have one thing in common, namely buffer overflows. These buffer overflows occur, because someone conveniently forgot to check that the variable being copied actually fits into the destination memory reserved. Granted, it is very inconvenient and tedious for a developer to have to write the code to perform these checks and then to handle the exceptions, but it really pays off. During my time in one of the major banks in London, I was once responsible for the development of a piece of software, which should not ever crash or be breached or else… My rule was simple. ‘Everything gets checked and no use of clever side-effects or anything else obscure’. I can still hear the complaints from my team today. They told me it was difficult and was going to take a long time, most inconvenient to a project manager but it resulted in a piece of software which never failed and was never breached.

Connected cars

Earlier this year, in preparation for the Las Vegas Black Hat conference, a group of researchers broke into a car remotely, while it was on the road. The break-in occurred via the car’s infotainment system. From there the researchers were able to take control over the car. Why was this possible? In this car the infotainment system was not sufficiently segregated from the other services, unlike cars offered by some competitors. Why did that happen? Most likely the development team was under time-pressure to deliver and therefore conveniently omitted implementing a strictly segregated, secure system as too hard, too costly or too time consuming, with the argument that implementing it properly will put the delivery time line at risk.

Contactless payment cards

CardsA prime example of mistaken user convenience, as well as service provider convenience, is the NFC contactless payment card. While the banking industry maintains these cards are secure, the UK Consumer Association “Which?” showed in April 2015 that it is possible to skim card information from NFC enabled contactless payment cards for use online. A UK newspaper article from late last year highlights a flaw which showed how payment cards might be tricked into transferring large sums to a fraudster. Securing these cards is, in my view, not possible without mandating a real-time connection to from the payment terminal to some trusted server. This is hard, costly and rather inconvenient to implement and operate, hence unlikely to happen.

Is the IoT different?

With the IoT it might have been different, but in reality it is not. Almost all of us are happily careering headlong down the path of convenience at the expense of security and privacy. The FBI recommendation to give up on some of the convenience and keep IoT devices in their broadest definition far away from any network, is surely a good indication how bad is has become.

Anton_Hofland.2024_Sight.web

 

The author of this blog is Anton Hofland, director and CEO of 2024Sight, Inc.

 

Recent Articles

5G SA networks trigger a new era in 5G security

Posted on: January 27, 2021

How 5G SA disrupts the fundamental security landscape and explodes traditional mobile core architecture Until now, 5G hasn’t changed the security experience for mobile operators or any of their customers. That’s because the first 5G services all leverage the Non Stand Alone (NSA) 5G architecture that connects 5G radios to a 4G core. According to

Read more

BICS board and Kurgan agree his departure, Gatta appointed new CEO and Burton to lead TeleSign

Posted on: January 27, 2021

The board of directors of BICS (Belgacom International Carrier Services) and CEO, Daniel Kurgan have come to the mutual conclusion to end their collaboration. The board of directors has approved the appointment of Matteo Gatta as new CEO of the company.

Read more