Coffeehouse Thread

19 posts

Autosave is unsecure - UK Government

Back to Forum: Coffeehouse
  • Jaz

    Microsoft and various other companies have got it all wrong.  Today the UK Government came out and said that autosave is unsecure; every tech company implementing it since year dot has got it wrong, users don't want autosave!

     

    Ian Duncan Smith on the BBC Radio 4 Today show (http://www.bbc.co.uk/programmes/b006qj9z) claimed that autosave is unsecure, that by offering this feature, users could have their accounts hacked and information entered can be cloned.  He also suggested that this was designed by users (from user studies).

     

    Sigh...

  • Dr Herbie

    @Jaz: Standard politician's approach -- "I don't want it therefore we should remove it for the good of everybody."

    Herbie

  • GoddersUK

    Shame I'd left the house by that point, it'd have given me a good morning giggle.

    (time is 2:36.34 onwards)

    But then what do we expect? After all the UK government considers "wish-it-was-two-factor" authentication to be secure.

  • blowdart

    And yet, last week, autosave was catching terrorists. Can't win really.

  • Jaz

    @blowdart. i think that proves just how unsecure autosave is for terrorists.

  • cheong

    HK Government has requirement that for every machine that has access to confidential data, their Temp folder must be encrypted and has software that'll wipe clean the folder when the user log out.

    As long as Autosave save to the same folder as destination folder, or save to Temp folder when savepath is not yet known, they should be fine.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • evildictait​or

    , cheong wrote

    HK Government has requirement that for every machine that has access to confidential data, their Temp folder must be encrypted and has software that'll wipe clean the folder when the user log out.

    UK Government has a requirement that every computer at RESTRICTED or above has full bitlocker encryption, as well as a functioning TPM module for secure boot.

    In fairness, that's because we've had a whole bunch of idiots leave laptops on trains before :/

  • GoddersUK

    , evildictait​or wrote

    In fairness, that's because we've had a whole bunch of idiots leave laptops on trains before :/

    Although encrypting data that often shouldn't be on the laptops in the first place is not exactly what I would term a solution...

  • evildictait​or

    , GoddersUK wrote

    *snip*

    Although encrypting data that often shouldn't be on the laptops in the first place is not exactly what I would term a solution...

    No, but it's definitely part of the solution. I'd rather some guy on a train have access to a large amount of undecipherable data that shouldn't be on the laptop than have access to it in plaintext.

    Knowing what data should and shouldn't be on a laptop is a case-by-case decision, and given the number of government employees and how much of the data they have would be considered by someone-or-other to be important if it were lost (from the DVLA to your tax records to medical details etc) - it seems like these mistakes are inevitable, just by sheer force of numbers.

    Which leaves government with three options:

    1. Don't have any data that people care about (not going to happen)

    2. Don't ever put data on laptops, or take laptops out of buildings (this makes it hard for the government employees to work from home, meet contractors etc, so there is a large cost associated with this. For very high value information - such as MI5, MI6 and the police etc, this is a good blanket solution that doesn't leave anything to chance or rely on Bitlocker)

    3. Bitlocker everything. Continue to discipline staff who lose laptops, but at least this time when (rather than if) someone loses a laptop, the chance of the data being leaked to criminals, the press or the Internet is very much lessened.

  • GoddersUK

    , evildictait​or wrote

    2. Don't ever put data on laptops, or take laptops out of buildings (this makes it hard for the government employees to work from home, meet contractors etc, so there is a large cost associated with this. 

    It may be true for some of the data that gets lost (e.g. a laptop with security plans for a major event) that not putting it on a laptop would be an inconvenience, but there are many many cases of lost data (and it's not just the government that this happens to) where they leave behind a laptop or portable storage device that has a database of individuals' data on it. There is no excuse for this ever being on a personal computer. If they need to work out of the office they should VPN onto the corporate network and access the data remotely.

    I applaud encryption of the data, it's a step in the right direction. But, in the words of XKCD, "strictly speaking it's better than the alternative, yet someone is clearly doing their job horribly wrong". 

    EDIT: Of course, even on the server, the data should still be encrypted.

  • evildictait​or

    , GoddersUK wrote

    *snip*

    It may be true for some of the data that gets lost (e.g. a laptop with security plans for a major event) that not putting it on a laptop would be an inconvenience, but there are many many cases of lost data (and it's not just the government that this happens to) where they leave behind a laptop or portable storage device that has a database of individuals' data on it. There is no excuse for this ever being on a personal computer. If they need to work out of the office they should VPN onto the corporate network and access the data remotely.

    I applaud encryption of the data, it's a step in the right direction. But, in the words of XKCD, "strictly speaking it's better than the alternative, yet someone is clearly doing their job horribly wrong". 

    EDIT: Of course, even on the server, the data should still be encrypted.

    But without encryption, the pagefile, any syncronised documents and the VPN keys are all recoverable Perplexed

    If you work for a company, and you don't have encryption on your work tablet/laptop then you shouldn't be allowed to take it outside. And even if you didn't want to ever take it outside, encryption won't hurt.

    Bitlocker everything, do it now. Now add two-factor auth and swipe access to your offices. Until you've done that, everything else is just pretending you've got security.

  • GoddersUK

    , evildictait​or wrote

    *snip*

    But without encryption, the pagefile, any syncronised documents and the VPN keys are all recoverable Perplexed

    1) I'm not suggesting they don't encrypt, I'm just suggesting that they shouldn't be relying on encryption. If I ask how I know my data is safe and they say encryption I won't be satisfied (although I will be less dissatisfied than I am at the moment).

    2) I'm precisely suggesting they wouldn't sync the documents. They'd log onto the database, say via SSH, view what they needed to, change what they needed to and be done with it. There may be cases where a specific individuals files are required offline and they have to keep them locally, but that should never need to be more than a handful of individuals in one go. That's just an unavoidable risk. Yes, encrypt but don't have a false sense of security. Work in a remote/virtual desktop on the server if needs be.

    3) The VPN keys are hopefully password protected. That user's keys should be revoked and replaced as soon as the laptop is lost. Even better your logs will help you know if any data has been compromised, who's data and even some clue as to by whom.

    4) The pagefile: Not my area of expertise. But your complete database with millions of people's records won't be in there, right? Regardless, you've made the bad guys' job harder.

    If you work for a company, and you don't have encryption on your work tablet/laptop then you shouldn't be allowed to take it outside. And even if you didn't want to ever take it outside, encryption won't hurt.

    Bitlocker everything, do it now. Now add two-factor auth and swipe access to your offices. Until you've done that, everything else is just pretending you've got security.

    I'm not disagreeing. But I don't think "it's encrypted" is an excuse for having that stored locally data on a portable device. And it's only cold comfort - after all you have to assume that once an attacker has physical access to a machine it's compromised (sure, it helps that you probably won't get it back so surreptitiously sticking a key logger in there won't help them but I'd argue that the point still stands).

  • GoddersUK

    The fun doesn't stop here it seems. In an effort to ensure tried and tested usability and security the DWP have some interesting requirements for online benefits claimants.

  • evildictait​or

    , GoddersUK wrote

    The fun doesn't stop here it seems. In an effort to ensure tried and tested usability and security the DWP have some interesting requirements for online benefits claimants.

    That is appalling. Someone should be fired for that. If the only way to access your benefits is by running completely unsupported operating systems and browsers that are attached to the Internet, and it doesn't support the majority of users of the site (who on average will be Windows7+ and Chrome or IE8+), then the DWP have demonstrated once again that they simply cannot be trusted to contract out any kind of IT.

    Hell - even the DWP won't be able to access the site before the year is out, because they won't be allowed to run XP/IE6 once it leaves extended warranty less than a year from now.

  • cheong

    , evildictait​or wrote

    *snip*

    That is appalling. Someone should be fired for that. If the only way to access your benefits is by running completely unsupported operating systems and browsers that are attached to the Internet, and it doesn't support the majority of users of the site (who on average will be Windows7+ and Chrome or IE8+), then the DWP have demonstrated once again that they simply cannot be trusted to contract out any kind of IT.

    Hell - even the DWP won't be able to access the site before the year is out, because they won't be allowed to run XP/IE6 once it leaves extended warranty less than a year from now.

    No, that's how outsourcing works.

    The contract will included the list of systems to support and the vendor has no obligation to support OS/browser combinations outside the list. Considering this is Win9X-WinXP era production, I can imagine there's many compatibility hack put in the code. To support a newer OS/browser combination, great effort would be needed so the bill would be charged skyhigh.

    If it's written by employee, not subcontractors, they'd just point to it and say "Fix it."

    They should probably hire someone to rewrite the thing from scratch, and that means we're probably not able to see a new website until one or two years. (Including time loss due to procurement process, (un)expected delay that's common in subcontractors, etc.)

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • GoddersUK

    @cheong: No, there's no excuse. Vista and IE7 were released 7 years ago. That's plenty of times to fix what is an important (and I can't imagine particularly challenging) website. This isn't some corner shop outfit, it's a national government.

    EDIT: Although most corner shops probably have better IT systems than the UK government anyway...

  • cheong

    , GoddersUK wrote

    @cheong: No, there's no excuse. Vista and IE7 were released 7 years ago. That's plenty of times to fix what is an important (and I can't imagine particularly challenging) website. This isn't some corner shop outfit, it's a national government.

    EDIT: Although most corner shops probably have better IT systems than the UK government anyway...

    FYI, I've finished a government project in HK in 2009 that targets WinXP+IE6 only. The project development lasted for 2.5 years and procurement process last about half year if I didn't get it wrong. And you don't expect the government allocates fund for the "next stage" project when the "new" one just go live right? And all "software development" budget has to be added in the annual budget of corresponding department submitted in Feb,

    Say we allocate the required budget next Feb, risk challenge from auditing to shorten the procurement process to 3 months, and assume it's trival development so only need a development time of 3 months + 3 months UAT (you rarely see governement project with development time lower than 3 months because it'll be too risky for them, and there would be not much profit for the project), the earliest estimate if nothing goes wrong would be we'll see a new website by Nov 2014.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • evildictait​or

    , cheong wrote

    No, that's how outsourcing works.

    The vendor didn't write the contract themselves. Someone at the DWP made that contract that didn't specify that it should work on the OS/browser combinations that actually matter, and that someone should be fired.

    When you write a contract you specify what criteria the contractor must fulfil in order for the contract to be "fulfilled", and hence for the contractor to get paid.

    If your contract is so retarded that it allows a website that doesn't work except on WindowsXP/IE6 to be "the finished product" less than a year before that combination leaves service and cannot be used at all within the UK government and isn't used by 90% of the population, then you shouldn't be allowed with a pen anywhere near another government procurement project ever again.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.