HackDig : Dig high-quality web security articles for hacker

The Bogus Security Claim, Chimney-Protection Style

2015-05-20 21:05

As if security advocates didn't have enough headaches, there is a frightening trend of security arguments that sound like they're meaningful but are in reality protecting something that isn't a threat and that users don't care about. It's like a home security company sales rep pushing an anti-burglary system in a high-crime neighborhood. The system, however, only protects against chimney attacks, despite the fact that no such attacks have ever hit that community (or any community for that matter).

A few weeks ago, the Lords of unintentionally undermining security have given us two classic examples of this technique: the first is the “Protecting Cyber Networks Act”, also known as the cyber threat information bill, which passed the US House late last month and is currently sitting with the Senate. The second was Google’s confirmation that Google Wallet is now offering FDIC protections.

Unfortunately, these moves are designed to sound like they are offering some level of meaningful protection, but the bill itself falls short and Google Wallet’s protections only make sense if you don’t think about what FDIC is.

Let's start with Congress and the White House. The intent of the Protecting Cyber Networks Act is to encourage American businesses to share more security information with both the government and with other businesses. The concern, argued especially loudly in Silicon Valley, is that companies will not cooperate without meaningful liability protections. But the White House and congressional leaders promised that there would be such protections. Insofar as it goes, these protections were included, but they don't protect against anything that businesses care about. Let's call it the Chimney Defense.

The fear companies have—as I wrote about back in February, when The White House started pushing this legislation—is that they will share some sensitive piece of security information with the group and it will somehow leak. That might be because a cyberthief cracked into the database or someone who works for the government or another business leaks it, intentionally or accidentally. With the news of the security hole publicized, someone might sue because of the existence of the hole or, much worse, someone might use the hole to make a successful attack—and then somebody will sue the company because they were a secondary victim of that attack.

In short, there are so many ways this could go bad. The liability protections sought would have said "If these companies do the patriotic thing and cooperate, no one can sue them for anything that happens as a consequence of that cooperation." Even that wording wouldn't have fully protected those companies because who is to say that the breach happened solely because of the government cooperation? If the company caused the security hole, that is reason enough for a lawsuit.

Not to worry, though. Neither the liability protection the White House proposed nor the one the House pushed through do much to protect against anything. Here's the entire wording of the liability protections section in the bill published by the House Intelligence Committee:

PROTECTION FROM LIABILITY.

9 (a) MONITORING OF INFORMATION SYSTEMS.—No cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed, for the monitoring of an information system and information under section 3(a) that is conducted in good faith in accordance with this Act and the amendments made by this Act.

16 (b) SHARING OR RECEIPT OF CYBER THREAT INDICATORS.—No cause of action shall lie or be maintained in any court against any non-Federal entity, and such action shall be promptly dismissed, for the sharing or receipt of a cyber threat indicator or defensive measure under section 21 3(c), or a good faith failure to act based on such sharing or receipt, if such sharing or receipt is conducted in good faith in accordance with this Act and the amendments made by this Act.

In short, it protects against someone suing a company for cooperating. Who would file that lawsuit? (Hint: no one.) If cooperation exposes a security hole, though, then a lawsuit is more likely - and there simply isn’t any language here that protects against those lawsuits.

Enough politics. How about some old-fashioned search engine mobile wallet meets New Deal-era programs fun? Google recently confirmed that it was making a material change: It would soon house any funds that consumers left deposited within Google Wallet in an FDIC-insured account.

The story was first reported by Yahoo Finance, which pointed out that this is initially a differentiator from other services—Paypal and Venmo were named—that don't house funds in FDIC-protected accounts.

But then the original widely-referenced piece went into the woods. Consider this passage: "In a worst-case scenario, if one of these companies fails and files for bankruptcy, their customers would become their creditors. That means they would have to go through a bankruptcy court like everyone else to get their money back. With FDIC insurance, the government would pay customers back in a matter of days."

OK, so that suggests that if Google pulled the plug on Google Wallet, FDIC would come to the consumers' rescue. Unfortunately, that isn't true. But surely if Google itself shut down, FDIC would help? Nope. What if a cyberthief stole all of the money in the account? Nope. OK, how about an armed robber who storms the bank branch where the monies are held? Nope again. FDIC insurance does one thing and one thing only: It covers the account holder when the FDIC financial institution goes under. In the last 50 years, there have only been 3,624 financial institution failures that were covered by FDIC, according to FDIC spokesperson LaJuan Williams-Young.

It gets worse—in the sense that it moves farther away from protecting consumers. FDIC has a $250,000 limit per account. Given that Google will be consolidating funds left in these millions of mobile wallets, there is an excellent chance that even multiple accounts would blow through that limit. But none of that should matter to consumers because—wait for it—the owner of those accounts would be Google, not the consumers. Therefore, in the remarkably unlikely scenario that a payment is made (meaning that the bank that Google chooses happens to implode and that all accounts stay below the $250K limit), that payment will go to Google headquarters.

The idea behind the FDIC move was to make nervous consumers more comfortable with aggressively using Google Wallet, confident that data breaches and changes of business wouldn't put their money at risk. Clearly, though, FDIC doesn't do anything to help with any of that.

But there is some solace in all of this. The U.S. is about to get some of the best-protected chimneys in the world.


Source: elyts-noitcetorp-yenmihc-mialc-ytiruces-sugob-eht/tsop/moc.tenitrof.golb

Read:1972 | Comments:0 | Tags:No Tag

“The Bogus Security Claim, Chimney-Protection Style”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud