Facing up to stupidity and laziness

There’s still one month left of 2015, but let’s make a safe prediction for next year: the number of information leaks will hit new records.

That’s not because there’s less awareness around security issues, or tighter budgets. Everyone knows security is paramount and that money needs to be spent securing your systems.

Instead, the problem is that while that message has gone out and been received, it really hasn’t been understood. The problem seems to be one of both laziness and stupidity.

Several recent examples illustrate this: Dell, with decades of experience and expertise, a world-famous IT company that should know better, stuck multiple fake SSL/TLS digital certificates on its systems, leaving them open to interception and allowing malware to be signed and trusted as good software.

Dell had to scramble to sort out the problem before attackers started to exploit the certificate vulnerability, but it never should have happened in the first place.

Managing digital certificates can be complex, but Dell’s basic errors of adding a self-signed certificate with a private key included was just asking for it.

There was even a precedent - the Superfish scandal in May saw Lenovo take one on the chin, hard, for being stupid and putting its users at risk. That Dell learnt nothing from that very well-publicised incident is hard to fathom.

Dell was lucky, and as far as we know, nothing happened. Only a few days later, however, another SSL/TLS issue popped up on the radar.

This time it’s millions of internet-connected systems that are vulnerable to quiet data interception, because the vendors who manufactured them added and reused static SSL/TLS credentials. 

Over 900 products from something like 50 device vendors are vulnerable, including 26,000 Cisco devices on Telstra’s network.

Fixing that global, gigantic mess will be incredibly difficult if not impossible as it involves persuading multiple vendors to:

• Understand the problem
• Develop a fix for it, and test it
• Get the fix out to partners and telcos
• Make sure the fix is deployed.

Don’t hold your breath for it to get sorted out anytime soon.

That particular situation should, again, never have happened, but it did, and we will see even more of such issues soon.

It’s time to renew the call to make organisations that fail to act responsibly liable for their stupidity and laziness as well as the avoidable mistakes that can have serious consequences that last for a long time.

The recent hack of Chinese educational toy maker VTech shows us why: millions of parents with hundreds of thousands of childrens' sensitive personal data was captured with consummate ease, leading to a dangerous situation that has the potential to be almost impossible to rectify..

Luckily, the 4.8 million parents and their children dodged a bullet because the hacker said he wouldn’t pass on the data to anyone apart from the publication that reported the breach.

VTech freely admitted it had no idea that the data breach had taken place until it was told by media. “Amateur hour” doesn’t begin to describe VTech’s approach to IT security - it is not fit to hold sensitive data, especially on children.

How sensitive? Try pictures of thousands of parents and kids, 190GB worth, along with chat logs.

Last year, security researcher Paul Vixie suggested we introduce risk management through regulation and create treaties with security provisions that countries have to abide by if they wish to do business with us. 

Let’s take that notion further, and make it mandatory for organisations to show they've followed best practice when it comes to security before they can ask for and store user data.

Adding more regulation is never a step to take lightly but if it stops just some of the examples of rank stupidity and utter laziness expected to arise in the very near future, it's worth it.