Doctor Watson, I presume?
Discuss this article in the ZeroFlaws forums
Presumed security is an interesting thing. Although not something that's commonly discussed, it's actually the other side of "security through obscurity". Security through obscurity refers to a system that's made so deliberately complex that it (in theory) deters attacks simply due to that complexity. In other words, it's so difficult to understand that an attacker doesn't have a chance of finding a security flaw in it. Hopefully. However any decent security professional will immediately pop up and tell you that security through obscurity is actually no security at all, because you're relying on smoke and mirrors to keep you safe. And that's fair enough. Because it's true.
Presumed security, on the other hand, is almost never talked about in IT security circles. It's very simple to understand and is best demonstrated by this recent BBC News article: Illegal immigrant stows away on Sandhurst coach. Sandhurst, for those of you not aware, is the premier military officer training academy, renowed worldwide for the calibre of officers it produces (the Wikipedia article is quite detailed). As the BBC article explains, an Afghan illegal immigrant was able to simply jump on a coach in Germany, enjoy a trip to the UK, and get off the other end actually inside Sandhurst before being discovered. Straight through security, no questions asked. This was possible because of one simple fact: the presumed security of Sandhurst is so great it actually doesn't need much security at all.
This might be a little surprising at first read but I assure you it's absolutely true. Not only has the Afghan in the article proved it - and fortunately he wasn't a terrorist - but I've seen this for myself. How? Another not widely known fact is the Ministry of Defence has contracts with certain private companies, allowing them to run business training and development courses within Sandhurst itself. That means those companies freely invite civilians into Sandhurst for training courses and the like. I'm fortunate enough to have been on one, and very good it was too.
On the first day of the course I drove up to the front gates of Sandhurst, passport in hand. I expected to be stopped at the front gates by a posse of well developed soldiers, each with a finger hovering nervously over the trigger of their very loaded assault rifles. Instead I found myself parked in front of a flimsy red and white pole pretending to be an entrance barrier. To the right were two, well, slightly elderly gentlemen in day-glo jackets standing in what could charitably be described as a guard shack. This definitely wasn't the Alamo. One wandered over to my car and asked me what I was there for; I gave the name of the company I was visiting and was immediately waved through. No check of my passport, no inspection of my car, not even a cursory strip search and blood test.
Let's bear in mind that we're clearly in the age of terrorist attacks. Let's also bear in mind that the name of the company I was visiting can be easily found from Google. All I needed to do to gain unescorted access to Sandhurst was to drive up to the front gate on a particular day and give the name of a company with some offices within. I've been in corporate offices and data centres with more security than that.
This is presumed security. Because Sandhurst is staffed by experienced soldiers and hosts large numbers of officer cadets they probably don't need an SAS squad manning the front gates. Any would-be attacker would probably be discouraged by the large amount of uniforms and, no doubt, the not insignificant number of guns and bullets inside. So, when an illegal immigrant gets on a bus and by sheer dumb luck ends up inside Sandhurst, there's very little active security to stop him. Now I'll be the first to admit that there probably is a decent amount of invisible security at Sandhurst, but I did get lost in the extremely large acreage once or twice. Despite driving around aimlessly for a little while nobody rolled up in a tank to question my motives. Stranger still is that those in the know freely admit they were throwing press photographers out of Sandhurst at a fair rate when the Royal Family's Princes were there.
Another, more concise example of presumed security is the "Protected by ACME Security" signs you often see in offices and on building sites. The implication is that the security provided by these companies is always going to be good enough to detect and prevent an intrusion, so an attacker shouldn't even bother trying to breach it. It's a deterrent wrapped up in a threat. So if presumed security is a position whereby an entity is safe from attack simply because it's expected to have so much protection - regardless of whether it has that protection or not - why don't we see more of it in the IT security world?
Oddly, we do, but it's not easily recognised. One classic example is the Verisign "Secure Site" seal. If a website owner wants to enable SSL on their website because, for example, they need to take confidential information from their customers, they must purchase an SSL certificate. This certificate is installed on the web server and is used to create the encrypted communication channel between a user and the website. It's the mechanism that underpins the "https://" connection and the little padlock icon in your web browser's toolbar.
For many boring and technical reasons not just anyone can roll up on the Internet and start selling SSL certificates, so a relatively small number of large companies sit at the top of the certificate food chain. These companies are ultimately responsible for issuing the certificates we all use every day for online banking, Paypal, online shopping and the like. Of these companies, Verisign is the big fish. When you think "supermarket", the first companies that come to mind are Tesco and Walmart. When you think "certificates", it's Verisign. That's how big and well known they are.
Verisign play heavily on their presence, brand recognition and credibility. A Verisign certificate is often considerably more expensive than one from a competitor, but with Verisign you get Trust-with-a-capital-T. That's because when you buy a Verisign certificate you're required to undergo some validity and identity checks to make sure you are who you say you are. If you claim to be a business, Verisign will check you're actually telling the truth and have some kind of real world, physical presence somewhere. Once you've passed the check, you receive your certificate and you're also allowed to use the "Secure Site" seal on your website. Let's see what Verisign have to say about this seal:
Impressive. If I've got an online business and I read that I'm losing 72% of my potential sales because I don't have a Verisign Secure Site seal, I'd be straight on the phone to Verisign. The sales guy would think his Christmas had come early, so eager would I be to buy a certificate. I might even buy two just to be extra secure and really, really associated with the Verisign brand. And once I'd handed over my cash, this is what I'd get:
Yes, that's it. Just that image. Really. There's no fancy security software behind it, no clever techical tricks, no highly trained ninjas protecting my website and my customers. I just get to put that image on my website. The Verisign certificate itself - the bit of data that actually secures my customers' web sessions - is no different to a certificate bought from any of Verisign's competitors. I'm paying over the odds to have the privilege of using an image to associate my website with the Verisign brand.
The Secure Site seal is a fantastic marketing trick because it's pure smoke-and-mirrors perception. It's presumed security. Verisign's customers have bought into the idea that Verisign is a big, respected, secure company we can Trust-with-a-capital-T, always. Verisign's customers' customers, that's you and I, have all bought into this idea too. We've all fallen for the hype that the Verisign Secure Site seal means something, when in reality it's just a marketing trick. We go to our favourite online shopping site, fill our baskets, spot the Verisign Secure Site seal and get a warm glow that our impending purchase will be all nice and secure. Because the website has a Secure Site seal, we presume everything is safe (well, 72% of us do, anyway). Ahh, if only it were true.
The biggest issue with the Secure Site seal is that the vast majority of Internet users don't really understand what SSL is, or how it works. The assumption that a padlock in your web browser toolbar and a Verisign seal on the website means you're secure is a dangerous one. Firstly SSL cannot protect you against a huge number of security threats, including spyware and viruses that are already on your computer. This is a whole separate topic that I won't go into here, but suffice to say that if your computer has been compromised by malware you have absolutely no security at all - SSL or not.
Second, using a simple Secure Site seal image to convey the idea of security is incredibly irresponsible. There is nothing stopping anyone simply pasting that image on to their site, just as I did earlier in this article. Verisign are creating the false perception that the presence of an image means security, and non technically savvy users believe it. It's easy to understand why: Verisign is a large and well known company, many other large and well known websites use the Secure Site seal, therefore the Verisign Secure Site seal stands for something. When laid out in simple terms it's clearly a false argument, but perceptions are often stronger than facts.
Interestingly Verisign have a stock response to this issue. When they issue a certificate they also allow the purchaser to link the Secure Site seal image to a page on Verisign's website. A user can then click on the seal to show a pop up window containing the status of the certificate and confirming that the website really is a Verisign customer. Which is fantastic, except for three rather large problems. One, it's relatively easy for a malicious person to fake this system in a convincing manner, which is why you should check the actual certificate used in an SSL session (usually by double clicking the padlock icon in the web browser's toolbar) and not rely on images on websites. Two, the vast majority of consumers don't even know you can click on the seal to get this information. And three, many websites that carry the seal don't actually bother to link it to the Verisign site. All in all, a pretty useless proposition.
Third, Verisign can only check facts, not intentions. It's perfectly possible for someone to set up a fake business, pass the Verisign identity checks and receive a certificate. Once they've got that certificate they can do whatever they want with it. They can set up an online shop and take payments for goods they never ship. They can steal credit card details, sell malicious software, or fence stolen goods. And they can do all this with a real Verisign SSL certificate and Secure Site Seal on their website. All Verisign can do is wait until someone informs them of the misuse, then revoke the use of the certificate. By then it's probably too late - the criminal will have closed down and moved on to a new scam.
Fourth, Verisign is staffed by humans who are, well, only human. They make mistakes, sometimes catastrophic ones, that can compromise the security and integrity of certificates. Probably the most well known example was back in 2001, when a Verisign employee mistakenly issued certificates to someone claiming to be from Microsoft. Whoever got hold of these certificates could easily and invisibly use them to fool users into thinking they were dealing with Microsoft. As unbelievable as this sounds it was widely reported at the time, and you can read more in the Microsoft Technet article:
In mid-March 2001, VeriSign, Inc., advised Microsoft that on January 29 and 30, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation".
So if Verisign's assertion is correct that 72% of online sales are lost because of a missing visible mark of security, that's a hell of a lot of people with a fundamental misunderstanding of what constitutes proper online security. And it's also a hell of a lot of people who are going to be easily fooled into believing a little image on a website keeps them safe.
Here's the Oxford English Dictionary definitions for "presume" and "assume".
Assume: suppose to be the case, without proof.
Presume: suppose that something is the case on the basis of probability; take for granted that something exists or is the case.
Presumed security: taking for granted, on the basis of probability, that a system is secure. Just as dangerous as security through obscurity, but not as easy to spot.
Note: The screenshot of Verisign's text was taken from the Verisign Secure Site Seal main page on 09/07/09, found at http://www.verisign.co.uk/ssl/secured-seal/index.html. Interestingly the claims made on this page (as per the screenshot image) are not repeated on Verisign's USA site, which is otherwise almost identical.
Close:
The title of this article, "Dr Watson, I Presume", is taken from the name of the old Windows tool - "Dr Watson" - that popped up when an application crashed or failed to work properly.
