Cyberweekly #7 Security has to be usable to be any good
Welcome to CyberWeekly, a weekly roundup of news, articles, long form blog posts and various other miscellania that interests your author, Michael Brunton-Spall.
Feel free to forward this on to people you think might be interested. If someone forwarded this to you, then you can subscribe to your own copy at Cyberweekly
Replies to this email come straight to me, so just hit reply to send me feedback, comments or links or tweet it to me @bruntonspall.
This week there has been a swathe of articles covering usable security in various forms. I'm loving seeing more and more organisations come up with ways to balance usability and security. We're never going to get this perfect, but we have to try.
One response to the DNC advice on twitter was a user saying "Yeah, but this wouldn't work against the advanced threats that are targeting the DNC", while forgetting that when the DNC was attacked by an "advanced threat" in 2016, it was precisely a phishing email targetting a users personal email, which didn't have 2-factor, that was the root of the attack. These sorts of usable security tips actually do make us secure against even the most capable adversaries. Let's see if we cut out a swathe of low hanging fruit and maybe we'll all be better off.
Usable Security
DNC pushes employees, campaigns to embrace email security habits ahead of midterms
“The overall goal is improve the baseline security practices of a wide group of users that includes in-house staffers, candidates and volunteers spread across the country. “Nearly 80 percent of our users are now either not clicking or at least asking questions about it beforehand,” Krikorian explained. “Being realistic we’ll probably never get to 100 percent compliance but we’re working on it … it’s important that people flag something, anything that seems suspicious … A lot of that happens through Signal to Bob [Lord] or to our help desk, so that we’re informed.””
Note that this is conducting internal phishing campaigns not to blame staff, identify who has clicked links, but to get an understanding of how effective your advice has been. The checklist is a wonderful piece of actionable security advice as well.
Use the tools that you need to do good work - Canadian Digital Service
“We’ve chosen to optimize for where our developers spend most of their time.”
This is the crux of one of the issues that security people often don’t understand. Users want good solutions that are close to them. When security offers solutions that are “more secure” but further away from the users, it falls back into the old false dichotomy of user experience is a trade off against security.
Monzo – Engineering Principles at Monzo
“We now have a team of over 70 engineers working on this, with more joining every week. As we continue to grow, it’s crucial that we create a shared understanding of what “good” looks like so that existing engineers know how to make decisions and prioritise work and new engineers know what we expect and how we work.”
I think this article is brilliant for its advice, but I wanted to highlight it for this comment. From my experiences at GDS and the Guardian as well as helping other government departments build out digital teams, one thing is clear. Scaling people is really hard. The Dunbar number means that all of those assumptions and things that “everyone knows” probably aren’t obvious to everyone and when you scale past around 25 people you need to put real effort into documenting and communicating those cultural assumptions and practices if you want them to succeed.
Cloud
NSA ‘Systematically Moving’ All Its Data to The Cloud - Nextgov
"The National Security Agency has moved most of the mission data it collects, analyzes and stores into a classified cloud computing environment known as the Intelligence Community GovCloud."
Next time someone tells you that "the cloud" isn't secure, you can remind them that the NSA is moving a lot of mission analytics into a intelligence community GovCloud. Now this isn't the same as the public cloud, it will have dedicated hardware, dedicated sysadmins and of course is segregated. But the intelligence community in the US is a large number of organisations, around 17 US agencies and potentially a number of international partners, so that's still a lot of different organisations with different threat profiles and different concerns.
Why you should not use Google Cloud. – Punch a Server
“I receive a barrage of emails from Google saying there is some ‘potential suspicious activity’ and all my systems have been turned off”
Of all the cyber security concerns with cloud, Availability is the one that scares me the most. The cloud company determining there is a problem with your billing could result in the loss of the account, which is everything! Making sure that you have good terms, aren’t just paying on the CFO’s credit card and that you understand the risk is critical in using the cloud effectively.
Note that this isn't a new risk, your outsourced hosting provider going bankrupt or refusing to operate your devices has always been a risk, but with modern cloud providers, the commercial agreements are often more commoditised and not weighted in your favour as a user.
Other
Psychology’s trolley problem might have a problem.
"If people’s answers to a trolley-type dilemma don’t match up exactly with their behaviors in a real-life (or realistic) version of the same, does that mean trolleyology itself has been derailed?"
The trolly dilemma is a favourite armchair psychologists thought experiment because it is easy to understand and feels simplistic to reason about. But if this data is accurate, how people philosophise that they would act and how they do act is significantly different. The same is true when we think about security policies. We need to measure how people actually act in these situations, rather than build policies around supposed human behaviour
When spies hack journalists - NYTimes
“For reporters, withholding valuable information from the public is anathema. But in a world in which foreign intelligence services hack, leak and fabricate, journalists will have to use extreme caution and extra transparency.”
This is a really interesting take on the ethics in journalism. Getting access to sources and material is obviously useful to journalists, but if the journalist suspects that the person leaking has a political motive to influence the public conversation, who gets to decide what’s right? Especially as politics in various countries around the world gets more polarised, expect more of this
Blockchain
Tory MP says UK needs a chief blockchain officer | City A.M.
“Hughes makes a series of recommendations in his report 'Unlocking Blockchain' issued today including the appointment of a public-facing chief blockchain officer to coordinate the UK’s strategy on applying blockchain technology to public services and data.”
This worries me immensely. This is seeking to force a solution on government departments without a clear idea of what problem it solves. Very tail wagging the dog
IOTA Signatures, Private Keys and Address Reuse? - Lekkertech
“So after generating one piece of the private key, the whole internal state of the sponge only contains information that is also in the first piece of the private key. A Key Derivation Function that behaves like this is critically broken.”
A timely reminder that crypto is hard. Really hard. And crypto currencies are being implemented by people who don’t understand the properties of the safe cryptographic components they are using.
Someone once explained to me that cryptographic functions are unusual because they often don’t commute.
That is to say, applying function f to data d followed by function g doesn’t necessarily give you all the security properties of f and g combined, in fact it’s possible or likely that the output of g might break the security properties of f. (See discussions of "Encrypt then Sign" or "Sign then Encrypt" for a good example)
Hash functions and encryption often exhibit these properties and very few people understand the mathematics and the implementation to carry this stuff out safely.
That's all for this week. See you next week.
Michael