DHS gives internet security advice before Black Friday, but stops short of ‘encrypt your connection’
Thu 24 Nov 2016
Opinion It’s reasonable to assume that Black Friday is at least a potential field-day for cyber-criminals, since network traffic containing confidential financial information – such as e-commerce logins – is set to approximately double compared to other days leading up to the holiday season. Any zero day exploits that they’ve been gambling will stay undiscovered, Black Friday is surely the day to at least attempt to cash them in. That’s sound business and sound capitalism – if a little on the dark side.
Apart from the increased online footfall of pre-Christmas shoppers, there’s also rich opportunity to either topple and undermine systems which are working at double their usual capacity, or to take advantage of those which may genuinely fail under the strain.
Since there will be so many unwelcome guests at tomorrow’s party, it’s only responsible of the Department of Homeland Security to issue an advisory to American consumers about the importance of good password policy, and indeed it has:
‘Many Americans have had their online accounts hacked and personal information compromised because of stolen credentials or weak logins. As hackers get more resourceful, usernames and passwords – which have been the fundamental account security mechanism – are no longer a sufficient solution to secure accounts. Luckily, there is a simple way to secure your online accounts and better protect yourself against online crime: strong authentication.’ (source emphasis)
Sound advice follows: ‘Never provide your banking or credit card information over an unsecured public WiFi network’; ‘Hackers and thieves often use “can’t miss” deals to lure unsuspecting customers and collect credit card or financial information’; ‘Shop only at credible, reputable websites, and look for URLs that start with “https”, which are more secure than “http” sites’; and an adjuration for the consumer to familiarise themselves with the U.S. government’s recent Lock Down Your Login campaign.
The Department Of Homeland Security’s own website is fittingly encrypted with the https protocol, although following the links to the Stop, Think, Connect resource page takes you back into straight http-only. But that’s probably okay for a PR micro-site.
You’d almost think there was some kind of directed interest in making a sound and affordable security precaution look like a 419 scam
At this micro-site you can download a whole bunch of posters and PDFs spreading the message about good online security practices. This one has excellent advice, including that users should only connect ‘[over] secure networks. Wi-Fi hotspots may not offer the same protections’.
Most surprisingly, this government-sanctioned leaflet gives advice that we wouldn’t necessarily be expecting the NHS to endorse: ‘Secure your Internet connection by using a firewall, encrypting information, and hiding your Wi-Fi network’. (my emphasis)
In today’s release, and in this raft of public information, there is not one word about how to actively encrypt information that isn’t being transmitted over secure networks. Not one word about Virtual Private Networks (VPNs), which can completely encrypt your internet life for as little as twenty bucks a year (and if you think I’m spamming, I understand why – see end of article).
A kingdom divided against itself
That’s because the DHS has been a key part of the government’s anti-encryption lobbying; full-scale, unrelenting pressure that has ramped up in the last 18-24 months’ of wrangling between investigating authorities and device manufacturers – notably Apple.
Despite maintaining a clear message that strong encryption is a necessity in network communications, Secretary of Homeland Security Jeh Johnson has sided with the government’s general viewpoint that the authorities need government approved ‘skeleton keys’ for methods which enable private users to enjoy secure encrypted communications.
He’s not as rabid on the issue as the increasingly-controversial head of the FBI James Comey, and at least well-informed enough not to entertain Hillary Clinton’s notion of a truly secure gateway with one unattended manhole. But neither is he advising the public to adopt the same affordable and cheap methods that his own department uses and even mandates.
“When you do require a duplicate key or some other form of backdoor, there is an increased risk and increased vulnerability. You can manage that to some extent. But it does prevent you from certain kinds of encryption. So you’re basically making things less secure for ordinary people.”
Do as we say, not as we do
The U.S. government in general and the DHS in particular love VPNs. The U.S. Customs and Border Protection, part of the DHS, issues advice to government users about which ones to go for, with a general favouring of VPN offerings from Verizon and AT&T.
Just like any other large business, practically all branches of the U.S. government and local federal administration make extensive provision for VPN use. If you do a Google search for the DHS together with the term ‘VPN’, the very first result (searching from the UK) is the Department Of Homeland Security’s own VPN portal. The Virtual Private Network has been seen as an essential component in government internet security for a long time now.
It seems that VPNs are a good thing, then, and a sensible precaution against Man-in-the-middle attacks. If the U.S. government is so set on advising consumers to encrypt their connections, including the advice to use a VPN in those glossy PDF downloads would seem to be an obvious move.
Yet the advice is not to be found in the downloads section of the government’s advisory website, nor in the DHS release of today.
And with so many VPN providers tripping over themselves to undercut each other on cost (now that they can’t make any more money out of breaking Netflix’s geo-restrictions – see below), prices are truly at rock bottom.
Abstraction, spam, Netflix and Trump: obstacles to VPN uptake
Perhaps the U.S. government has nothing to worry about as regards wider-spread VPN adoption in any case.
It does what…?
In the first place, the idea of what a VPN does is incredibly abstract and difficult to explain to the ‘just works’ generation of mobile consumers. No matter how low the cost goes, or how smoothly the wizards install the software, there’s no perceived product for your money – just the imaginative idea that your information is shielded as it goes around the world. And even this is slightly undermined by the not unreasonable – if cynical – notion that governments might force VPN providers to share encryption keys anyway, and that we’ll all have to watch the warrant canaries and hope that we were really secure for the last 30-90 days.
Netflix’s ‘scorched Earth’ approach to geo-pirates has sent the good out with the bad
Get one free!
The second reason why VPNs may never rise above the Mr. Robot demographic is the sheer ‘spamminess’ of the VPN companies themselves. Any tech publication editor is besieged by their voracious marketing approaches, and most of the major players have a network ad presence second only – in volume and quality – to porno advertising. To the casual viewer, the VPN looks like some species of digital Viagra at the moment, fit only for pirates, paedophiles and the Darknet.
You’d almost think there was some kind of directed interest in making a sound and affordable security precaution look like a 419 scam. As a product, the VPN has some of the worst marketing on the internet.
The third obstacle is Netflix, which has since the beginning of the year, blocked all known VPN provider IP addresses. This means that if your connection is using a VPN, you can’t watch Netflix – even if the VPN is set to your own country. This makes VPN usage complicated with smartphones especially. That’s a terminal proposition for a concept that already baffles consumers – even though VPN companies are going out of their way to make the service easy to use. It additionally means that the permanently-‘VPN’d’ router – wherein your entire home network is permanently secured at router level – is a dismal proposition for Netflix fans. The streaming giant’s ‘scorched Earth’ approach to geo-pirates has sent the good out with the bad.
Finally, of course, there is Trump – perhaps the ultimate embodiment of the ‘nothing to hide, nothing to fear’ line on encryption backdoors. Secure messenger downloads have skyrocketed since the President elect chose an anti-encryption attorney general, and the signs of the coming times are not hard to read in this respect.
So perhaps the best thing to do this Black Friday is take your government’s advice, and be safe. But not too safe.