Obama and his BlackBerry
The Messaging and Mobile Media division of VeriSign is estimating a record 1.4 billion mobile messages will be sent on Inauguration Day. But President Barack Obama probably won’t be sending or receiving any of them. At least, not on Inauguration Day.
Obama and his Blackberry on the campaign trail.
There has been an onslaught of articles posing questions such as, “Is the BlackBerry secure” and probing issues like access to the President’s email. But there are much larger issues here.
As a Canadian, I have only a passing familiarity with the American legal system, so I won’t pretend to understand issues related to congressional access to Presidential email. However, if the President of the United States doesn’t have the right to exchange private personal emails with friends and family, something is seriously wrong and it is not a technical problem.
In attempts to explain the security properties of most email, many have written that email is like sending a postcard. In reality, it’ s worse. It is unlikely that someone working at a postal sorting facility could automatically copy every post card flowing through the system and walk out with it at the end of the day. Sadly, that’s all too easy with email. While larger ISPs have internal security and privacy processes in place, it still remains trivial to intercept copies of email, especially in the case of smaller Internet service providers. Email also leaves another trail: Virtually every mail server maintains a log file that shows the source and destination of every email message that passed through it.
The impact of this issue depends largely upon who you are. I, for one, would be flattered to hear that thousands of system administrators across the world searched their mail logs for my email address. However, such searches are guaranteed to happen within minutes of President Obama’s email address becoming known and the mere fact that Obama sent someone an email makes them interesting. Interesting enough that at least some system administrators will open the mailbox to have a look. And interesting enough that a number of organizations, both domestic and foreign, would be happy to pay for it.
The underlying issue is that, while the technology required to secure our email has existed for almost two decades, we don’t use it. Tools like PGP and the S/MIME capability built-in to Outlook are relatively easy to use but only an infinitesimally small number of people use them. And ask them what percentage of their total email is protected and you’ll quickly hear that most of their friends don’t have the capability to exchange encrypted email.
Yes, there are some issues with the BlackBerry, most notably that the encryption technology used in the device should be improved. But we need to keep the vulnerabilities in perspective. For most of us, our BlackBerry is not the weak link because intercepting the data and decrypting it is expensive, complicated and illegal. On the other hand, I would expect at least a dozen countries to spare no expense to monitor the President’s personal email. Put in security terms, few of us face a threat agent with sufficient resources and motivation to intercept the radio communications to and from our BlackBerry and break the cryptography. But the President does and the beauty of intercepting radio waves is that nobody can see you do it. While personal emails may be benign, they can give some insight into what a leader is thinking, what other people are telling him and who his friends are.
Other issues exist, including the fact that any mobile phone, BlackBerry or otherwise, can be used to tell where someone is located when it is turned on. I won’t repeat the countless scenarios that people are posting to the net. They don’t matter. We already know where the President is. Anyone who needs his BlackBerry signal to find the Presidential motorcade isn’t much of a threat. And, after all, the devices do have an off switch.
But there’s another force at play that has nothing to do with security. Obama’s BlackBerry provides him with a direct path to the Internet that bypasses his advisors. Email, web, and telephone that they don’t screen or control. Just imagine the President asking a friend, former senate colleague, or anyone else for their opinion via email or instant messenger. This type of connectivity has the potential to change the White House and I’m sure that at least some people don’t like that.
I hope that President Obama keeps his BlackBerry. Ensuring that the President remains plugged in is a good thing. I also hope he assigns someone a new job: Fix email security. While few of us face the same threats as the President, given the economic climate and widespread economic and industrial espionage facing virtually all developed countries, we would all benefit from more secure email. I also hope that Canadian-based Research In Motion, maker of the BlackBerry, seizes the opportunity to increase the security provided by their products. We’ll all benefit from that, as well.
Criminal and negligent
The net is buzzing about Republican Vice President candiate Sarah Palin’s email account being hacked, and if you somehow missed it, this Wired blog post is a good starting point.
I won’t engage in spreading rumours about who might have done it. The bottom line is that he or she, at best, did something dumb. While there still appears to be a cool factor surrounding the commission of high tech crimes, the result is really no different than breaking into somone’s home, office, or car. And doing it to a VP candidate is just pain dumb. Given the high profile of this case, the authorities will make an example of whomever is responsible, resulting in a disproportinate sentence. It’s too bad that the perpetrator thought about the FBI after the fact, instead of before.
But this story is about much more than that. It’s about weak authentication, poorly designed password recovery, poor business practices and a negligent Governor.
Security professionals have been telling people for decades that passwords are a bad idea and that they suffer from numerous weaknesses. People choose passwords that are easily guessed, they are all too often rapidly obtained through technical and social attacks, and many password systems have serious, fundamental technical flaws. But we continue to use passwords because they’re easy and cheap.
We can choose complex passphrases that are hard to crack, but doing so also makes them harder to remember, especially for those of us with dozens of them. So, to help users, companies like Yahoo provide automated reset mechanisms. The problem is that these are, for the most part, weaker than the password itself, as was clearly demonstrated in Palin’s case. Many of these systems are fundamentally flawed and fail to take target familiarity into account.
As threat levels and asset values increase, so does the need for stronger security controls. Those in the spotlight are explosed to a larger threat, and information such as their email has a higher perceived value to potential attackers. However, because it is generally easier to obtain person information about such people, password reset mechanisms that rely upon personal information provide a lower level of security. In other words, they protect people like Palin less than they protect you and me. They fall clearly into the “really bad idea” category, and surely the security people at Yahoo know it. These flawed password reset systems make it significantly easier to reset and obtain the password of someone you know than a random stranger. And let’s face it, an email account belonging to your boss, ex, or another kid as school is far more interesting than a strangers. Shame on Yahoo (and others who do the same dumb things) for implementing such a poor security system.
Perhaps Yahoo and hundeds of others will wake up, smell the coffee and fix their reset mechanisms. But until they do, there is a solution for users: When providing “answers” to password reset questions, don’t “answer” the question they ask. For example, you might be asked the first school you attended or your first pet’s name. Be funny, be silly, be random. Make something up, and write it down if you have to. If Palin had simply answered that she met her husband “UnderThePinkOakTree”, her Yahoo account wouldn’t be in the news.
Of course Governor Palin shouldn’t have been using a free Yahoo email account to conduct government business in the first place. Not only is it a well-known way to dodge information retention and access legislation, but free email accounts, as this incident demonstrates, simply don’t provide the level of security required for government business or political campaigns. Palin and her handlers should have known better. In fact, according to news reports, she has previously been criticized for conducting state business via her personal email account, so I think it’s safe to say that not only should she have known better, but she in fact did know better and continued to do so.
So where does this leave us? A dumb criminal, a negligent Yahoo, and a VP candidate that doesn’t learn from her own mistakes, none of which bode well for the American voter.
Your Own Worst Enemy
Mention computer security to most people and the ensuing conversation inevitably involves viruses, spyware, spammers, and teenage hackers. Yes, it’s true that criminals are heavily involved in identity theft, foreign governments are stealing intellectual property, and pedophiles are trolling the Internet. But if we’re really looking for the number one threat to our money and information, let’s start with a good look in the mirror.
Backups
Computer hard drives consist of one or more metal disks called platters that usually spin at 5400 or 7200 RPM. Tiny heads move over the surface of the disks, reading or writing magnetic impulses as the platter spins by. To put it in perspective, the edge of a platter running at 7200 RPM is travelling at over 100km/h. While modern drives are very reliable, and often boast Mean Time Between Failures (MTBF) of up to five years, all it takes is a small particle of dirt, a bearing failure, or enough of a shock to cause the head to touch the platter, and it could be all over for your data. So even if you have the best antivirus protection money can buy, and you’re confident that you could never ever (ahem) accidentally delete the wrong file or folder, not backing up important files is playing the MTBF odds, and if you play long enough, you will loose.
Viruses
I think it’s safe to say that most of us are sick of hearing about viruses. Every year criminals (and have no doubt – virus writers are criminals) turn out a large number of them. Some are brand new, and occasionally one has a serious impact. However, the vast majority of virus infections are preventable, and while I hate to be accused of blaming the victim, the reality is that viruses are out there and your computer will be infected if you don’t take four simple precautions: Use a firewall between your computer and the Internet, install antivirus software and keep it up to date, don’t open email attachments that you aren’t expecting, and don’t surf the web looking for free software or porn.
Phishing
It’s getting real old, but scammers are still tricking people into logging into look-alike sites just to get their usernames and passwords. If you follow two simple rules you are unlikely to become a victim: First, financial institutions don’t email asking for updated information, and they don’t email about fraud or account suspensions. If you get email asking you to urgently update your information or log into your account due to fraud, just delete it. Second, don’t click links in email to any web site that requires you to log in. Instead, open the browser yourself, type in the URL, or select it from your bookmarks. It may take a bit more time, but it will prevent you from following links to bogus sites and giving away your username and password.
Financial Scams
If I walked up to you on the street and asked to borrow your bank account to move ten million dollars into the country in exchange for a ten percent fee, you’d probably laugh. But for some reason when the same solicitation arrives by email, people are happy to oblige, pay “fees†in advance, and are surprised when they get ripped off. The Internet gives you access to a vast amount of information around the world. It also gives fraud artists worldwide access to you. Your best defence is common sense – nobody is going to pay you millions (or even hundreds) to move their money for them. If they have millions of dollars, they don’t need your help to move it, no matter how good their excuse.
Spam and Chain Letters
A lot of people get offended when I lump spam and chain letters into the same category, but let’s be honest – while spam is sent for commercial advertising and chain letters are forwarded by well-meaning (yet gullible) family, friends, and acquaintances, the result is the same: Trash in our inbox.
Spammers collect email from web sites, mailing list, and anywhere else they can find them on the Internet. Then they sell the addresses to others, who, being like-minded, aggregate and resell their lists to others, ad infinium. In a very short period of time, your email address is widely distributed. So our first line of defence against spam is avoidance: Don’t post your email address on the Internet. If you must do so, use a secondary email address or a disposable email address from one of the dozens of companies on the Internet that provide them. Some of the disposable email address services offer addresses that automatically expire after 24 hours, which are perfect for those companies that require an email address to download a “free†document. Along the same lines, another strategy is to give family, friends, and those you personally know one address, and use another address from Gmail or Hotmail for everything else. In the event that spam levels become uncontrollable, you can then abandon it without loosing touch with family and friends. (As an aside, Gmail’s free spam filtering is top notch.)
Of course the problem may be your family and friends forwarding chain letters. If you’re lucky, a polite request may do the trick. If not, you may have to resort to the “reply-to-all with a link to snopes†technique and hope that a bit of embarrassment helps them to think next time.
On the other hand, if you like to forward chain letters, perhaps you’re the problem. Next time you get one check out snopes.com before you forward it. Chances are you’ll find it there, along with information on why it’s not true. Then hit your delete key.
State of the Net
For those of you who missed the print edition, here’s a .pdf of my March articles in Monitor Magazine.
Keep in Touch
Kudos
Recent Comments