The last couple weeks I have been dealing with a security compliance scan for a website that handles financial transactions. I’m not going to tell you who is involved in any of this though. If anything it is just a general reminder that a lot of things that are touted as secure are very brittle. Not everything, but a lot of things.
For instance, a couple weeks ago the Washington Post ran an article where they explained how Social Security Numbers can be predicted. Somebody can guess yours.
Anyway, while talking to one of the guys from this security company, he misread the output of a standard testing tool called nslookup. It is for a quasi-obscure vulnerability and I’ll admit that I misread one minor item on their report, so we’re even.
I just received a second report from this same company for a scan of another computer. The scan passed the computer with flying colors. So, why is this a problem? The scan didn’t detect anything. At all. It didn’t even see a web server running, but we are certified to use their compliance logo on it.
These scans serve a legitimate purpose but some days I can’t help but wonder about people. This is why hackers have a saying that nothing is completely secure. There is always a way in.
Don’t trust any more of your data to computers than you absolutely must.
PS. Don’t worry if all of this doesn’t make sense. I could explain in more detail but I’m afraid it would make this post even less readable for most people.
Comments
Submitted by Carol on
...interesting. Thank you. How much vulnerability do chat programs (AIM, YAHOO etc.) add? I heard some bad things about those.
Submitted by Chris on
Chat programs typically do not encrypt conversations which means that other people can keep track of what you are saying. The FBI has a well-known program (in security circles, anyway) called Carnivore that monitors most communication and it has been in use since the days of Bill Clinton. The sad thing is that there are worse programs out there too, such as ECHELON which is an international project. That ignores what your family, internet service provider, the chat company, or others could collect. E-mail and most other web traffic falls under this same restriction.
Then there are also bugs in the software itself. Some of those have the potential to give someone else control of your computer. I remember reading an article a few years ago about one chat company that exploited their own bug to update the program. It is both amusing and sobering.
Think that’s bad? The iPhone currently has a similar bug in its text message processing. Because that is a core feature of the phone, the *only* thing that you can do to protect yourself is to turn off the phone. In that respect, I would say that the instant messaging you and I use is hardly any worse than anything else.