Wednesday, August 5, 2009

QHSR Dialogue and Security

I ran into an interesting ‘idea’ yesterday posted on the QHSR Dialogue web site under the Counterterrorism and Domestic Security Management topic. If you remember from yesterday’s QHSR post, an ‘idea’ is any comment, information, or other posting made to the QHSR site by one of the participants. One thing that struck me about this ‘idea’ was the level of emotional content that was included in the description of the problem that platinum5152 identified in this idea. The other ideas that I have read are much more dispassionate. While I do not personally agree with the degree of the problem identified in this idea, it is refreshing to see that real passionate people with personal stakes in security issues feel free to involve themselves in this dialogue. You’ll note that I have completely danced around the actual issue involved here. The reason for that is that I want to separate out just a portion of identified idea for consideration in this posting. In fact, I want to just focus on just the first three sentences of the idea that platinum5152 posted and leave the rest of that posting to the QHSR Dialogue. Lack of Cyber Security Platinum5152 started off the idea by writing that:
“This DHS Quadrennial Homeland Security review website is not secure. When users are logging in and registering to put their ideas out here, the userids and passwords are being transmitted in the CLEAR! Anyone can sniff the line and get everyone's userid and password. DHS needs to focus more on cyber security!”
Now, from the remainder of the posted idea we can tell that our writer is an IT specialist with a background in security. Platinum5152 caught something that all internet users (myself included) are supposed to be alert for, the absence of the LOCK. Think about it, the little padlock in the corner of the browser that lets you know if it is safe to type your credit card number into the browser to buy whatever online fancy caught your attention. The writer noticed that the padlock was missing from both the registration and sign-in screens; not unlocked, but completely missing. Now that does not mean that those pages were not adequately protected; the person who designed those pages may simply have decided not included the security symbol on the page. It’s possible… not very likely… but possible. No, it is much more likely that no one considered the need for security on these pages. After all no credit card numbers, no social security numbers, nothing requiring security is being posted to these pages. But they did require passwords…interesting. No, I think that platinum5152 was correct, DHS does need to focus more on cyber security, as does everyone else connected to the Internet. Now to be fair, DHS did not set up the QHSR Dialogue site, they contracted with the National Academy of Public Administration (NAPA). So that means that DHS is not at fault for the lack of security, they are just responsible for it. Failure of Execution Unfortunately, this continues a pattern that I identified in my first posting about the QHSR Dialogue web site. The NAPA operators of this site have claimed that they are protecting the data posted to the site, promising that the information “will not be shared with any third parties or government organizations”. Again, I do believe their intentions are good. It is just their performance that is failing miserably. Again, I am torn between recommending participation and recommending that anyone that has not yet signed up for participation stay well away from the web site. I do think that the intent of this site is important and there is only limited personal identifying information being placed at risk. Those of us who have already posted our information on the registration page must consider that information to be compromised. The one thing that would be of the greatest concern for most people is the inadequate password security on the site. For those currently registered, if you use the same User ID and password combination on any other web site change the password on the other site(s) immediately. And don’t use your typical password generation techniques, those techniques are basically compromised through this NAPA tool leakage as well. Those who have not yet signed up for the page, but want to participate in the dialogue you have a couple of options. First ignore the warning, come on in, the water is fine. Actually, if you are careful about what information you disclose on the registration page, select a unique User Id for just this site and don’t forget to use a unique password you should be fine. Caveat Emptor. Or you could just wait for the second Dialogue at the end of August; just watch for the padlock. NAPA should have secure registration and sign-in set up by then. Finally, you could ignore the whole exercise and continue to curse the darkness. It is your decision; I’ll be here.

No comments:

 
/* Use this with templates/template-twocol.html */