A Security Wish List

I wish following things happened to make our online and offline lives more secure. Items here are in no particular order; I penned these down as they came to me.

An application that detects that a worm is attempting to access my email address book, block it and alert me. It is surprising that this is one of the most common ways worms spread and still there is no effective protection against it.

An effective defense against identity theft: Even though it is a big security issue, still the best defense one has is paid monitoring services. There should be a better solution.

Secure Software: All software applications should be developed, installed and deployed secure by default. It is a hard problem to solve, but it is solvable. As a first step, software vendors must start developing with security in mind.

Liability for security issues: Software vendors must be liable for software security issues. How many industries are there that can get away with sloppy products? It is amazing that software industry has gotten away with it as long as it has. Bad software affects our lives as much as any other bad product, perhaps even more. With identity theft on rise, which often is caused by security breaches because of software bugs, situation has become worse.

Auto install prevention: OS should be capable of preventing installation of spyware and trojan horses. If an application install is not initiated by user or through a remote management application, why does OS allow installing an application? It defies logic. How many good software applications we know those are installed without user's (or administrator’s) knowledge?

Use of Hardware Tokens: All online sites should come together and share a hardware token based security mechanism; similar to what Paypal and some of the banks support. There is initial cost associated with it, but it makes a compelling business case for long term.

Internet Payment System: There should be only few Internet payment authorities that handle the monetary aspect of online transactions similar to credit card companies like Visa and Master. It makes no sense to give my credit card information to a large number of retailers; anyone of which can compromise it. I would rather trust a small number of companies and hold them accountable. In fact, Visa and Master can make themselves a gateway for Internet money. I wonder why none of the big credit card companies have done it yet?

Security education: More people need to be educated of the security risks in a networked world. It is just not enough that people secure their own computing environment and hope that their personal information will not be compromised. How many computer systems store our personal information today? There is no way to find out. At least we have to be aware of the risks, even if we do not have control over all of it.

Stop asking personal information unless absolutely necessary: Vendors and companies must stop asking personal information (especially social security number) when not required. A friend of mine wanted to file a flexible spending claim (for those who do not know, it is a service that let’s you claim your medical expenses tax free within a certain limit). The claim form asks for social security number, he called up the service and told them that he does not want to provide this information written on a form. They immediately agreed to process the claim without that number. This was actually a surprise to my friend who was expecting an excuse. That makes me wonder why they even have that field on the form. It’s perhaps convenient to use that number in the software, but cost of that convenience could be very high for an individual.

Stop giving personal information unless absolutely necessary: Another side of the coin applies to us, the people; collectively we should start refusing giving personal information when common sense tells us that it is not necessary. As an example, when you register in a flight school, the form asks for social security number. Why does a flight school need that number? When you sign up for a gym, they ask for social security number. Why does a gym need your social security number? If you do not pay up, they can block your access. Perhaps there can be arguments about reporting it to credit bureaus etc. but it is a weak one. In fact, it is an easy way for someone to mount a social engineering attack on anyone’s credit history. Let us first refuse to give the number and then see what happens. More often than not, they will still let you join.

Mandatory disk encryption: All corporations and government organizations must be enforcing disk encryption as a best security practice. There is very often news of lost laptops that cause loss of millions of personal records. It should not come as a surprise that such news items not only come from government organizations but also from private companies. Both sectors have very weak protection in this regard. Why can’t these organizations mandate disk encryption for their laptops? No one uses company owned laptops without passwords today; (if password enforcement is not part of security policy, it’s a serious problem in itself) so why use it without disk encryption? There will be certainly costs associated with it, but less than what it costs to repair the damage when millions of personal records are compromised because of careless behavior of company’s employees. As a customer group we should demand such security features as a minimum level of entry. Moreover, as the technology spreads costs will go down.

Secure wifi: Wireless networks must be secure by default. It is easier said than done, but it closes a big security hole.