Stilgherrian is an Australian journalist covering internet policy, cybersecurity, digital surveillance, privacy.

Dec 24, 2012
Published on: CSO Online Australia
1 min read

In a recent episode of a certain podcast, we discussed the idea that the new mobile platforms represent a once-in-a-generation opportunity to transform online security.

Whichever platform you pick -- iOS, Android or Windows Phone -- it's potentially a powerful combination. A known, limited range of hardware. An operating system where users don't have administrator access. A process for vetting and signing software before distribution to minimise the possibility of malware entering the ecosystem. And everything authenticated with a robust system of cryptographic keys.

It all made so much sense.

And then my dream was shattered by the realisation that all of this would have to be created by the vendors. None of them can be said to have a great track record when it comes to putting security ahead of their corporate interests. Nor, for that matter, honestly facing up to security problems.

Take Samsung's official statement on the recently-discovered Android kernel vulnerability that affects most of its top-line products.

"The issue may arise only when a malicious application is operated on the affected devices; however, this does not affect most devices operating credible and authenticated applications," Samsung said.

The vulnerability isn't a problem unless someone is malicious? Well that's OK then. People walking alone in dark alleys are only at risk of being mugged if someone is malicious too.

I hope this idiocy simply reflects an unfamiliarity with security concepts on the part of Samsung's PR department, rather than the security awareness of Samsung as a whole -- though the hard-coded admin passwords in their network printers suggest otherwise.

But is Samsung's naivety better or worse than Apple's institutionalised denial?

As I wrote in May, Apple simply doesn't talk about security.

"For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available," says the Apple Product Security website.

Read that carefully. Apple doesn't even discuss an issue until they've patched it. Issues could exist, be known to Apple, and even be actively exploited -- but they won't tell you. Not even a suggested workaround. Nothing must tarnish the image of invulnerability.

At least Microsoft learned the hard way that true security requires a certain amount of honest communication. But with Windows Phone's market share down below 5 percent somewhere, they really do have security through obscurity. Who'd write malware for such small numbers?

I don't imagine any of this will be fixed in 2013.

Nor do I imagine that there'll be much improvement in our ability to take care of the security basics, whether that's patching software or managing passwords -- and in just the past few weeks I've experienced two password howlers.

When I organised a new mobile broadband account with Telstra, the password that gives access both to the 4G network and to the account management portal was emailed to me in plaintext.

And when fat fingers led me to lock myself out of my American Express merchant account, necessitating a password reset, Amex's helpful staff gave me a new password: "password1". At least they suggested I log in immediately and choose a new one. Yes. Good idea.

There's two lights on the horizon for 2013, though.

First, the Defence Signals Directorate (DSD) is getting praise for its "Catch, Patch, Match" strategy, which now lists application whitelisting as the number one item for defending against targeted intrusions.

Second, a security strategy called "measured risk reduction" is getting some attention.

Pioneered by the US Department of State, measured risk reduction involves using automated vulnerability reporting to measure the risk across the organisation's networks, and putting the different problems onto a common scale to create a simple metric that can be communicated daily.

Along with that daily metric, systems administrators are given one or two high-return security tasks, along with instructions, that can be done in the 20 minutes or so they can typically spend on security.

The adoption of measured risk reduction will transform security, says SANS Institute director of research Alan Paller. That sounds like an excellent plan for 2013.