Wednesday, June 10, 2009

Why people don't get security

Security is only as strong as your weakest link.

Everyone has heard this. It seems obvious. Yet, people repeatedly fail at understanding it.

Recently, a startup called "StrongWebMail" offered a $10k competition to hack their CEO's webmail account. They give you the CEO's password. Their hook is that they also authenticate by calling you back on the phone, so knowing their password isn't enough. Hackers broke in and claim the reward using a typical cross-site-scripting attack.

When conceding, StrongWebMail said this:

It is important to note that the front end protection offered by StrongWebmail.com was not compromised. In fact, Lance [James] and his team were forced to find a way around the phone authentication. We are working with our email provider to solve this vulnerability and ensure that the backend email software is more secure.

This misses the point. The flaw used to crack the system wasn't something rare or unusual, it was instead the most common flaw in web applications. It is a type of flaw that was first exploited over a decade ago in webmail applications.

At the same time, all webmail providers can fix flaws like this within hours, not wait weeks for some other organization to fix the flaw.

This is like advertising you have elite commandos protecting the front door of your bank, yet leaving your back door open. Sure, no other bank has commandos, yet no other banks leave their back door open, either.

Nobody cares about the strength of your strongest feature. What people care about is the strength of your weakest feature. By this measure, StrongWebMail is less secure than any other e-mail system and you would be a fool to rely upon it. It doesn't matter how strong their strongest link is when they have so many weak links.

UPDATE:

By the way, the simple fact they had this contest in the first place means they cannot be trusted. It's a magic trick most frequently used by snake-oil salesmen.

UPDATE:

I misspelled the name in the first post. It should be "StrongWebMail" not "StrongMail", which refers to a completely different company.

7 comments:

Chris Drake said...

We actually have an exclusive interview on the "StrongMail" competition with Lance James on our blog at http://www.fireblog.com

mokum von Amsterdam said...

I claim that snake-oil has been the best & longest selling product ever so using the product might be a very bad idea, investing in the people able to sell hot air might be good ;)

Darren said...

You are confusing StrongMail (http://www.strongmail.com) and StrongWebMail.com. These are two completely different companies. StrongMail.com offers on-premise email marketing solutions and is not affiliated with StrongWebMail.com.

Mike Smith-Lonergan said...

Nicely called. It's painful to watch people blunder around security "solutions" like this - mitigating one specific use case, but not the end-to-end scenario. I really hope these guys either (a) get a clue (and perhaps a comprehensive security plan) or barring that, (b) get sued, close up shop, and go to work for someone who actually is in possession of the fabled Clue.

MadmanTM said...

There was a similar situation when a CEO of a security company offering a secure way to protect your online identity offered his social security number, two days later 500$ was donated to a charity from his name.

Declare.James said...

Is there a waiting list for the next contest that strongwebmail puts out. I could use the easy cash. Thanks

LonerVamp said...

Hopefully they have learned a valuable security lesson...beyond what they'll admit in press releases and marketing posts.