CounterMeasures - A Security Blog � Web 2.0

ACTA, entrench & resist?

Rik Ferguson — Mon, 30 Jan 2012 17:03:09 +0000

It’s probably prudent to mention again that these blog posts represent strictly my own opinion, see my disclaimer here. In the security presentation game, we spend a lot of time talking about “bad actors”, today it has a somewhat different meaning.

The concerns with ACTA centre mostly around how the bill enforces liability on website for any links that point to disputed content and how ISPs may be obliged to dig deeper into their customers’ online activity. In the world of User Generated Content, the potential for any site to be forced to close down, in a Stalinesque way to become a “non-site” as it is obliterated from search results or even have its domain name seized, all as a result of the actions of its users, is seen as too great a threat to business online.

ACTA is in many senses the big brother of SOPA. SOPA would have had negligible effect outside of the US, as the proposed bill would only remove sites from the US visible part of the web (and even then there are plenty of ways around it). ACTA is proposed as a global “Agreement” which has been negotiated in closed-shops with only one side of the debate having been represented and no jurisdictional or democratic oversight. The closed shop appears to have been cynically and deliberately set up outside of existing structures such as the WTO perhaps to protect vested interests of large corporations and a subset, in fact a tiny minority, of governments.

Our business is not only about security, as far as I am concerned it is also about privacy and trust and this kind of legislation has a damaging effect on all three of those. Under ACTA, ISPs will become accountable for the actions of their subscribers and as such will have no option but to monitor the content that is being both posted and accessed by their customers. This represents a gross invasion of privacy and under much of the western world’s communications intercept laws is already currently at least a legal grey area, if not outright illegal. Under ACTA that same (as in SOPA) issue of sites that link to copyrighted content surfaces again with we sites facing similar risks and similar levels of accountability.

Under current copyright law (which itself should not be considered immutable) rights owners have the legal recourse to seek to defend their own property, however by the same token it should be recognised that “the internet” or even “that web site” does not fall under that definition. To propose legislation that would enable an entire site to be “disappeared” because of a link to copyright content is draconian in the extreme and undemocratic to boot.

The internet is not intellectual property, the internet is the crucible of modern innovation and in large part generated by “we the people”. US law, and many others besides, classify copyright as the right to revenue from the copying of original work in a fixed medium, the internet has surpassed this concept. If I link to a video you posted, in what sense am I “copying” and in what sense is that truly “tangible”? Is the rendering of a picture in my browser copying, or is it simply “display? How do we deal with the concepts of mash-ups, crowd-sourcing and social networks when antiquated laws must apply, and what happened to my freedom of expression?

Security is a much deeper concept that endpoints and data, security is my right to access and use the global resources available to me, unimpeded by the legal ramifications of the actions of other internet users. Legislation such as ACTA and SOPA would make this impossible. The mantra of online innovation should be adapt and survive, the mantra of rights holders is to often “entrench and resist”.

The only niche left for innovation & collaboration in an ACTA world is for ACTA compliance solutions that continually monitor your web properties for infringements (thereby monitoring also the content of any linked site as well) and remove any offending UGC promptly.

You can’t fight the power, but the power has shifted.

Rik Ferguson — Fri, 20 Jan 2012 11:04:35 +0000

One of the largest file sharing services on the Internet was shut down yesterday in US legal action. The site is charged with violation of copyright laws. The indictment (now available on scribd) charges seven individuals with online piracy, four of whom have already been arrested in New Zealand. This 72 page document also details the estimated cost to copyright holders at more than $500 million USD, while themselves allegedly earning $175 million in advertising revenue. The maximum penalty for the offenders could total 50 years of jail time.

Search warrants were executed in nine countries and 18 domain names, including mega-upload.com, were seized along with associated servers.

This indictment, unsealed right in the middle of impassioned debate over SOPA and PIPA quickly aroused the wrath of the Internet community, particularly Anonymous who have been exhorting their supporters to participate in Distributed Denial of Service attacks against US government web sites including the Dept of Justice, the FBI, the Copy right Office and the RIAA and MPAA, who were successfully taken offline as a result.

Anonymous supporters have been using the Low Orbit Ion Cannon (previously detailed here) as well as a new technique of embedded JavaScript. Several web pages have been loaded with JavaScript and the simple act of rendering that page in a web browser will in most cases recruit the browsing computer to the DDoS attack. The attacks have attracted a high level of participation and public sympathy and quickly became a trending topic on Twitter under the #OpMegaupload hashtag.

Akamai’s Real-time Web Monitor is currently showing attack traffic online at more than 24% above normal, giving some idea of the scope and geographic spread of public sympathy.

Whatever your views on online file sharing, there is no denying that this is an issue urgently in need of a solution. Consumers, artists and corporations seem to have devised workable methods in the music industry. A return to the generation of income through live performance has reinvigorated the music scene in many countries and cites. Artists have harnessed the power of the Internet for a direct sales model that bypasses the increasingly archaic music industry and online music stores have evolved to facilitate this, with the participation of the corporations, providing music at reasonable cost. It could even be argued that the new iTunes Match service represents the capitulation of the music industry to the new reality of illegal downloads. This model is beginning to be repeated in the printed world too.

In the early 1900′s music publishers decried the arrival of the “player piano” as a threat to their way of life, when I was a kid, every record bore the legend “Home taping is killing music“, Hollywood was scared to death at the advent of the VCR…

The simple truth is, technology ever advances and with it come new opportunities. Many consumers are taking advantage of those opportunities to access copyrighted material quickly, easily and cheaply (or for free). It is only by facilitating that behaviour backed by a forward-looking business model that the traditional industry can hope to survive into the future.

It’s true that you can’t fight the power, but the power has shifted.

The mystery of the “hacked” Facebook accounts

Rik Ferguson — Wed, 19 Oct 2011 14:30:36 +0000

After a day of investigation it seems that “Team SwaStika” may be attempting to take credit for compromising account details that they really had nothing to do with.

The two lists of hacked accounts (Part 1 and Part 2) have both been circulated online before the Pastebin posts were made by Team SwaStika. The list entitled Part 1 appears to have been doing the rounds on various underground forums for the better part of a year. The second list entitled Part 2 by Team SwaStika is much more recent. The first evidence I can find of the accounts listed in Part 2 is only 19 days old.

A list with content exactly matching this second Pastebin post by Team SwaStika was uploaded to a compromised website by the better known group of hackers Group Hp-Hack. Group Hp-Hack is a Saudi Arabian hacker group that has previously gained notoriety in August of this year for defacing the websites of Joomla Canada and ethicalhackingcourses.com (which remains defaced to this day).

The html list of alleged Facebook logins uploaded to a compromised web server was created in Microsoft Word and has a creation date of 1st October 2011 but was posted with the claim (in Arabic) that the list only represents 10% of the 7 million accounts that were breached by Group Hp-Hack.

Group Hp-Hack defacement

I have informed the owners of the compromised server and advised them to remove the content and once again passed this information to Facebook’s security team

Over 10,000 Facebook account details hacked and published

Rik Ferguson — Tue, 18 Oct 2011 12:02:51 +0000

An update to this investigation is available here.
_____________________________________________________________________________________________________
A hacking group calling themselves “Team Swastika” have published what they claim to be the usernames and passwords for over ten thousand Facebook accounts on Pastebin, an online service for sharing large quantities of text data online. It should be noted that the PR agency for Facebook in the UK gave me the following statement, “This does not represent a hack of Facebook or anyone’s Facebook profiles. Our security experts have reviewed this data and found it to be a set of e-mail and password combinations that are not associated with any live Facebook accounts“.

Team Swastika are a new arrival on the hacking scene, having announced their “launch” only six days ago. although they have only one tweet to their name they have already caused concern by publishing database tables and user credentials stolen from the websites of the Indian Embassy in Nepal and the Government of Bhutan, apparently by SQL injection attack.

This latest publication of what they claim to be more than ten thousand Facebook user credentials is without context and with no indication of the means by which they were stolen. The posts themselves have already been removed by Pastebin but I managed to get a look at them before this happened…

Stolen credentials for Facebook accounts

The compromised user accounts come from all over the globe, and a quick glance through the list of associated passwords shows that the majority of affected users are not using complex passwords, with many being simply a derivation of the user name, a favourite football club or a short numerical password.

The ongoing effect of such a large scale compromise can be disastrous for affected users, particularly if the password is shared for multiple accounts. It can lead to compromise of the victim’s email account which can act as the skeleton key for many other online services, as any password reset procedure will normally pass through the account owner’s email inbox for verification. regaining control of a compromised account can be a costly and time consuming process, as this recent victim explains.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to achieve this. Create a complex password using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

I have not verified if the credentials as posted are legitimate, for reasons of privacy, but have passed the full list of affected accounts on to Facebook security so that they can warn and protect their users.

Making the most of Facebook privacy – Part III

Rik Ferguson — Tue, 11 Oct 2011 12:04:07 +0000

The full guide to Facebook security settings is now available for download Making the Most Out of Facebook’s Privacy Settings.

The first part of this series can be found here, and part two here.

Lists – Control privacy when you post

Use the Facebook lists feature to divide your friends into lists. This is a great feature for protecting your privacy because it allows you to select an individual audience for each one of your status updates or wall posts, be aware though it is not possible to individualise the audience for your “Likes”.

Facebook offers three default lists; Close Friends, Acquaintances and Restricted. Dividing friends between “Close friends” and “Acquaintances” will influence how much or how little they show up in your news feed. Adding a friend to the “Restricted” list means they will only be able to see content that you make “Public”. Facebook has also introduced the concept of Smart Lists, these could be related to where you live, where you work, or where you went to school for example.

If you add a friend to any of the “Close Friends”, “Acquaintances” or “Restricted” lists, they will not be informed. However, be aware that if you add a friend to a Smart List that is related to a place of work or college for example, they will receive a notification that you have done so and will be able to approve that information for posting to their own timeline. You can also create custom lists and again your friends will not be notified if they are added to these lists. It is worth noting that when you share content with a specific list of friends, your friends will not see the name of the list you have shared it with, but they will see that you have chosen a restricted audience for your post and they will be able to see every individual name in that group.

Subscriptions

Subscriptions is a new Facebook feature that allows you to follow the public activity of people on Facebook, without having to add them as a friend. Of course this means that the possibility exists for people to follow your content, without you having accepted them as a friend as well. It’s one more reason to tightly control your privacy on Facebook. For example, default behaviour on Facebook if you defriend someone is that they will remain subscribed to you and able to see any public content and perhaps content that is shared by mutual friends too, unless you do something about it. If you want to enable or disable the permission for other users to subscribe to your content, go to your timeline and click the arrow to expand the view of your “favourites boxes”. You will see the subscriptions box, click the box and you will be able either to click the “Allow subscribers” box or, more advisedly a “Settings” button where you will be able to turn it off.

Events

Any “Public” event you have responded to will feature on your timeline and will be shared with the public, meaning that anyone viewing your Facebook profile will be able to see these events. To hide these events from your timeline, view your timeline, click “View Activity” and select “Events” from the activity type drop down menu that appears on the right. You may then hide any events you wish from being displayed on your timeline.

Check yourself out!

If you want to check how the changes you have made have affected the information you share you can view your own timeline as another Facebook user would see it, or as it is visible to the general public. To do this, select the downward pointing arrow just to the right of “View Activity”, select “View As…” and type the name of the friend whose view of your profile you wish to preview, or click the “public” link. This is a great way of identifying those last few pesky events, photos, videos or stories that may still be publicly visible. You can then find each unique event in your Activity Log and refine the audience to whom it is visible or remove it entirely from your timeline.

Five rules to remember…

1. If you post on someone’s wall then you cannot control the privacy of your post . The visibility of the comment is defined by the original post which may be less restricitve than you want, for example, “Friends of Friends”.

2. If you restrict the audience of a post in order that certain friends cannot see it that restriction should not be considered final. If someone later posts a comment that tags a Facebook user who was not a part of the original audience, then the entire thread and original post will be visible to that person. Be careful what you post.

3. If you post on, or respond to an invitation to a public event or a public page; you cannot control the privacy of your post. You can only hide it from your timeline after the post has been made.

4. If you post on a friends wall where their privacy setting is “friends of friends”, then any of your friends who are on your Restricted list will be able to see that post, because they are your friends.

5. This means that anything you post which is “Public” or “Friends of friends” (either by your own settings or those of the recipient) may show up in the ticker of people you do not necessarily know, have restricted or have defriended.

Making the most of Facebook privacy – Part II

Rik Ferguson — Tue, 11 Oct 2011 11:40:14 +0000

The full guide to Facebook security settings is now available for download Making the Most Out of Facebook’s Privacy Settings.

The first part in this series of posts can be found here.

Now it gets more granular… Let’s look at “Privacy Settings” which can be accessed through the drop down menu in the top right of your Facebook page.

Facebook privacy settings

How you connect:

Change the setting for “Who can look up your timeline by name or contact info”, “Who can post on your timeline” and “Who can see posts by others on your timeline” to Friends. The default setting is Everyone except for “Who can see posts by others” which defaults to Friends of Friends, this setting is the cause of much of the noise in the ticker that so upset everyone when it was introduced.

The settings for “Who can send you messages” and “Who can send you friend requests” are just a question of how contactable you want to be, personal preference, again the default is Everyone.

How tags work:

Set Timeline Review to On. This does not stop you from being tagged in posts and those posts and tags will still appear in others’ feeds if they are connected to the originator or to someone else tagged in the photo, but they won’t appear on your wall/Timeline until you approve them. By default this is turned off.

Set Tag Review to On. When someone tags your content, you must review before it is posted. This is useful because once a person is tagged in a picture, post or comment, both that person and their own friends can see the content. Content you may not have wanted to share more widely. By default this is turned off.

Set Maximum Timeline Visibility to Friends. This controls the maximum extent of who can view posts to your *own* timeline. Don’t forget this content may have initially been posted on someone else’s wall and you cannot restrict the visibility of the original post. By default this is set to Friends of Friends.

Set Tag Suggestions to Off. This feature will suggest your name when someone uploads a picture that Facebook thinks looks like you. By default this is turned on.

Set Friends can check you into Places to Off – that way, you’re not going to get checked in to somewhere you would rather have kept secret, or even somewhere you never were. By default this is turned on.

Apps and websites

The Information accessible through your friends section controls what information about you can be accessed by Apps that your friends may have installed. Deselect every check box in this section. You will find that by default they are almost all allowed.

Instant personalisation shares Facebook data with certain partner websites. If the option is available, uncheck the box to turn it off. If it is greyed out it means that Instant personalisation is not yet available to your account. Note that it is turned on by default, so try to remember to keep an eye on it because you are not able to disable until the feature is already turned on…

Public Search, if you’ve been following the recommendations so far, this feature should already be off because you changed Who can look up your timeline to Friends only.

Limit the audience for past posts. Click Manage past post visibility and then click Limit old posts. This will ensure that any posts you have made in the previous years on Facebook will have their privacy restricted to Friends only. Unfortunately there is no indicator that tells you whether you have previously done this, so if you’re unsure, just do it again.

Part three of this series is available here.

It ain’t the Timeline, it’s the Ticker, Doc.

Rik Ferguson — Fri, 23 Sep 2011 22:38:12 +0000

Ever since the forthcoming Facebook profile changes announced earlier this week at the f8 Facebook Developer Conference, there has been a lot of talk online about how the new Timeline layout of your user profile will affect your privacy.

Essentially Facebook is taking all of the information that you have already entered into the social network, your profile, your photos, your posts, comments and other’s comments about you and presenting it in clickable chronological order. This has given some commentators cause for concern. Not I.

I’ll admit that when I first read about the changes I was a little worried, even to the point where I messaged my girlfriend to express my concern (I know, geek). So I thought to myself, “Ferguson, don’t be so negative, at least check it out first before going off the deep end.”

So I logged into Facebook and enabled the new Timeline view (it’s not publicly released yet, but here’s how you can get it in advance) and to be honest I loved what I saw. It’s pretty, it’s intuitive and it certainly says a lot more about me (it’s a profile after all) than the previous layout.

Enough of the aesthetics though, what of the security concerns? The thing that led me to write this blog was an article by Gregg Keizer which featured commentary from Sophos’ Chet Wisniewski. Chet is of the opinion that the new layout simplifies the procedure of data mining any given individual, he says “Timeline makes it a heck of a lot easier [for attackers] to collect information on people“. He’s right too, If I had previously wanted to look at everything someone had ever done on Facebook , it would mean a aeons of clicking to load older posts. Now it’s all presented in a scrollable timeline, much more simple. So why do I disagree?

Timeline certainly makes it easier for anyone who has access to my profile to find out about my Facebook past, but my profile is set to private. Not only that I am also very selective about who I add as a friend on Facebook. In all honesty I really don’t mind my friends data-mining me if they have nothing better to do on a rainy afternoon. I’d have to wonder why, but hey, whatever turns your crank… Incidentally, Timeline also let’s you work out who has “unfriended” you.

Of course if my profile was configured to be viewable to the general public, or if I added just anyone as a friend, then timeline would indeed add a whole new set of concerns. To be honest though, if your Facebook profile is publicly viewable or your an inveterate befriender of stranger, you have far bigger concerns already… None of you do that, do you?

There has to be something that worries me in the new Facebook though, and as my fellow Tweeter Kurt Wismer agreed, it’s the Ticker. You’ve seen the Ticker, right? It’s the new scrolling display of updates int he top right corner of your Facebook page. Why do I worry about the Ticker? It publishes all your activities, including check-ins, in real time to all your friends, including your interactions with people and groups those friends don’t know (if that content is public). This is very much a stalker enabler. Now not only can I watch what you are doing on Facebook with people I know, I can also see when you comment, post or like something I have no connection to whatsoever, this is A Bad Thing.

For now, there’s not not you can do about this other than appeal for Facebook to reconfigure this functionality and apply the same kind of discretion any normal person applies in real-life. There is current a groundswell of people posting the following status and for now it’s the only option you have…

Here’s the text in case you want to copy/paste.

“Please do me a favour: please hover over my name here, wait for the box to load and then hover over the “Subscribe” link. Then uncheck the “Comments and likes” choice. I would rather my comments on friends’ posts not be republished. Thanks** Then repost if you don’t want your EVERY MOVE posted on the right for everyone to see! :) i’ll do the same for you if you want. just click “like.”

LinkedIn? OptOut!

Rik Ferguson — Thu, 11 Aug 2011 10:40:49 +0000

UPDATE: It seems the Dutch government are already asking questions about whether this new behaviour breaches their data protection legislation.

Having seen this blog post, the first “victim” of social advertising has come forward and he’s one of my own colleagues he tweeted a few days ago:

Click to enlarge

Original Article
_________________________________________________

In my periodic trawl through the account options and settings of the social networks I entrust with my data, I discovered a few new “features” on LinkedIn that really made me angry.In a move reminiscent of some other social network providers *cough*Facebook*cough*, LinkedIn have decided to introduce targeted advertising and “social advertising”.

“Yeah, big deal, I expect advertisements on web sites” might be your initial reaction. Well, do you expect your own name, face and personal information to be used in those advertisements? If you don’t and you’re a LinkedIn user, you might want to log in today and have a look at your new default settings.

Once logged into LinkedIn, look to the top right corner where you will see your name in a drop-down menu, hold the mouse over your name and choose “Settings” in the menu that appears. This is where you can opt out of these new “features”.

Click for a larger image

Once you select the Privacy Controls you will be able to untick the boxes that have allowed your personal information to be used without your consent.

Click for larger image

While you’re in there, I hope you’ll be inspired to have a look around the other account settings, I’m sure you’ll find a few more that you will want to disable, like this little gem (in the Groups, Companies & Applications section)…

Click for larger image

LinkedIn have added these new features and opted all their 120 million users in without any form of notification, even though in my profile at least the option to get feature update mails was ticked (another default). I called the Information Commissioner’s Office in the UK and they confirned that this would be a breach of the Data Protection Act if the data were stored or processed in the UK.

At the risk of repeating advice from yesterday be very careful what information you are sharing online, not only can you not trust strangers, but it appears you also can’t trust your social netowrk provider of choice to keep your details confidential, or even to notify you that they have statred sharing them, don’t forget, it’s not just LinkedIn…

Anonymous vows to attack Facebook?

Rik Ferguson — Wed, 10 Aug 2011 12:25:50 +0000

In a new video, Anonymous or at least an element of the “loose online collective” (how much am I growing to despise that term?) has announced plans for a coordinated attack on Facebook to be launched on the auspicious date (at least here in the UK) of the 5th of November. The video calls for volunteers to join the assault but does not give any details on planned activity. The video should for now be treated with suspicion. It was posted almost a month ago and yet has not been widely publicised, or publicised at all, on the usual Anonymous channels. The Twitter profiles that appear to be associated are inactive, and in a masterstroke of irony, there’s even a Facebook page for it

According to the video, Facebook deserves to be “killed” for a number of reasons

1 – They store personal information and do not delete it – “even if you “delete” your account, all your personal info stays on Facebook and can be recovered at any time. Changing the privacy settings to make your Facebook account more “private” is also a delusion. Facebook knows more about you than your family“.

2 – They sell rights of access to your data to external agencies - “Facebook has been selling information to government agencies and giving clandestine access to information security firms so that they can spy on people from all around the world. Some of these so-called whitehat infosec firms are working for authoritarian governments, such as those of Egypt and Syria”

Having set out their reasons, they sign off with the message “We exist without nationality, without religious bias. We have the right to not be surveilled, not be stalked, and not be used for profit. We have the right to not live as slaves.”

Let’s examine these accusations. Firstly data retention; according to Facebook’s own Privacy Policy “When you delete an account, it is permanently deleted from Facebook.” which seems pretty clear cut. There is a later caveat in a section dealing with backup copies of data that states, “Removed and deleted information may persist in backup copies for up to 90 days, but will not be available to others.” Of course if you have chosen to share information on Facebook and that information has been further shared by your friends or contacts, then you must consider it has passed beyond your control. This is the primary reason why caution should always be uppermost in your mind when posting anything online. On the face of it, point 1 of the Anonymous gripe seems invalid.

Secondly, Facebook sells information to third parties? Again a squint at the Privacy Policy tells us Facebook’s approach to this matter; “We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards. We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities.”

So, without getting into a debate about the rights and wrongs of specific governments around the globe, Facebook is certainly open that they will share information in response to requests from both US and “foreign” jurisdictions under the laws applicable in that jurisdiction. What is the lesson to take from this? If you are a Facebook user and you consider that your local government or law enforcement may take unwanted interest in your social networking activities then pay very close attention to the information that you disclose, both on your personal profile and in your activities on the website. If you are engaging in activity which your government would rather you didn’t, be aware that a legal or civil request to this social networking provider may well be honoured.

The biggest and most important point though is this. Facebook is voluntary. You join Facebook because you want to. You provide information of your own volition and essentially at your own risk. If Facebook does know more about you than your own family, it is only because you told them. Conversely, while the social networking provider does provide relatively granular controls over how and who you share your data with, it is certainly my opinion that the default settings on an account are still too open, and the mechanisms for controlling sharing too complex.

Posting information anywhere online is similar to pasting up a notice in a global meeting hall and should be treated in that way. Even if you restrict access to your information to only your friends, you cannot control how that information is further shared by people within your circle of trust. If you aren’t happy to stand in a crowded shopping centre and repeatedly shout out your telephone number, you shouldn’t be making it available online, anywhere.

However, the thing that bothers me most in the Anonymous announcement is the phrase “One day you will look back on this and realise what we have done here is right, you will thank the rulers of the internet, we are not harming you but saving you“. Joseph Goebbels once said something very similar, “It is the absolute right of the State [the rulers of the internet?] to supervise the formation of public opinion.“.

“For your own good is a persuasive argument that will eventually make a man agree to his own destruction.” – Janet Frame.

5 Security Questions for your SaaS provider

Rik Ferguson — Thu, 04 Aug 2011 12:49:51 +0000

used by permission from ky_olsen's Flickr stream

Software as a Service is seeing sustained growth and sustained adoption in both enterprise and in the home. According to a Gartner release in July 2011, Software as a Service revenue reached $10 billion in 2010 and is still growing. In fact Gartner estimate growth of over 20% 10 $12.1 billion on 2011.

The Gartner definition of Software as a Service is software that is “owned, delivered and managed remotely by one or more providers. The provider delivers an application based on a single set of common code and data definitions, which is consumed in a one-to-many model by all contracted customers anytime on a pay-for-use basis, or as a subscription based on use metrics”. The example that is cited in almost every article and presentation on the subject is Salesforce.com, and while they are a major provider in the SaaS arena it is important to recognise that SaaS comes in many different flavours. Customer Relationship Management, Human Resource Management, Cloud backup, Collaboration platforms, accounting platforms, helpdesk management, managed services and web or email filtering to name but a few.

The economic benefits, to providers and customers alike are relatively obvious to spot, the cost of user provisioning (the SaaS model) when compared to the cost of application acquisition, licensing and rollout (the on-premise model) is extremely attractive. The SaaS provider is able to more quickly and easily update and manage the software and service due to its centralised nature, application improvements are easier to make as a result of the visibility the provider has of customer usage patterns and the scalability and pay-per-use is attractive for both customer and provider. In addition the possibilities for integration and open interfaces are greater, with many SaaS providers already offering social media-like collaboration functions or open interfaces (APIs).

While SaaS may offer a flexible and cost-effective alternative to a traditional application environment, it is not without risk. By moving to a hosted platform, as opposed to in-house, enterprises must necessarily sacrifice a large element of control over parts of their operating environment. With SaaS in particular, almost the only choice you have is whether you upload certain data or not, the rest is largely out of your hands. You do of course retain the legal and regulatory accountability for the security of your data.

The risks in a SaaS environment are many, and largely related to the benefits offered. As I mentioned previously, your provider has access to your usage habits of the platform, normally through some kind of web analytics, they also have the capability of accessing all of your data and this in itself presents the risk of unauthorised access or monitoring by an insider.

The centralised nature of the system and the “one configuration fits many” model of the multi-tenanted environment means that, should a vulnerability affect one customer, there is a strong possibility that other customers will be equally affected. The Epsilon breach is one of the more recent examples and it affected many Fortune 500 companies using the same SaaS provider. The scope for exploits of vulnerabilities is wide. Common protocols and the software stack are used by most SaaS providers (HTTP, XML/SOAP, JSON, CSS and JavaScript) and these are readily and regularly exploited if not correctly engineered, implemented or configured. Additionally, the more scope a platform offers for customisation and external integration (a key selling point for SaaS vendors), the more chance there is that some other customer will introduce a vulnerability from which another may suffer the consequences. Such is the nature of a multi-tenanted environment.

5 Key security questions to ask your SaaS provider:

1 – Penetration testing – How is the environment pen tested, how often and do you have the ability to independently pen test your own part of the environment? Without regular, in-depth pen testing you have no visibility of your current security posture.

2 – Data Security – How is data encrypted in storage and in transit across the shared resources of the SaaS provider data centre? Who has access to the keys? Is separation of duties and separation of keys and data maintained? Can the provider offer you a SAS 70 report?

3 – Multi-tenancy – Is there an option that provides for single tenant hosting? Also explore whether this single tenancy comprises simply the application or also the data storage?

4 –Disaster Recovery – In the event of catastrophic failure, or external intrusion and data loss what backup and recovery procedures are in place? Where is backed up data stored (and encrypted again) and how is it effectively restored?

5 – User Authentication – What is the sign on procedure for the SaaS application? Are multiple factors in use? Is it possible to integrate sign-on with authentication structures already in use by the customer?