The myth of cyber security and why computers can never be secure

The BBC has run a wonderful news story about the development of what’s claimed to be the world’s most secure email service.

Created by US security tech entrepreneur Will Donaldson, Nomx makes the bold claim it uses the “world’s most secure communications protocol” to protect email messages.

The Nomx personal email server costs from £155 – £310 and claims that users can help to stop messages being copied and hacked as they travel to their destination across the Internet.

Too good to be true?

BBC News asked ex-hacker and now security researcher Scott Helme and computer security expert Prof Alan Woodward of Surrey University to test whether the product could provide 100% protection against hacking and interception.

The investigation started by taking the device apart to find that it was built around a £30 Raspberry Pi computer. As the operating system for the Pi sits on a removable memory card, Scott Helme made light work of downloading the device’s core code so he could examine it more closely.

Could Nomx live up to its PR hype? Well, this was starting to look like a wild exaggeration to be the ‘world’s most secure email device’.

The software packages it used to handle email weren’t proprietary and worse still, many were very old versions. In one case, 5 years out of date, harbouring unpatched security bugs. Default passwords found in the code included “password” and “death”. Yes, really. ‘Password’.

Then there were problems with the web interface Nomx uses to administer the secure email service. This was vulnerable to several widely known and easy to execute attacks that, if exploited, would give attackers control over a target’s Nomx system. And there was a way to create a hidden administrator’s account on the Nomx box that would allow any cyber attacker to fully compromise the gadget.

In addition, there were more than 10 other serious security vulnerabilities with the Nomx box that left Scott Helme “horrified” by its approach to security.

Could there be some mistake?

The analysis was reviewed by Paul Moore – an experienced tester of security hardware who concluded Nomx was an “overpriced and outdated mail server” and used one of the “most insecure PHP applications” he had ever encountered.

Nomx and its PR team were now on the backfoot and published a lengthy defence of its product and disputed the way in which the BBC had tested its device claiming the tests were unrealistic. But if a company makes such a bold and audacious claim, then no test should be unrealistic to verify the claim, right?

Nomx sensed it wasn’t going to win this public war of words and quickly issued another PR statement that it was no longer shipping versions that used the Raspberry Pi.

Except these units were still being offered for sale on its website at the time it made the announcement and clearly Nomx isn’t about to embark on a costly and highly damaging product recall from unsuspecting customers who had bought the units based on its exaggerated claims.

By way of damage limitation, the company said future devices would be built around different chips that would also be able to encrypt messages as they travelled.

Question: can we still believe promises made about the email product from Nomx?

What this story illustrates beyond doubt is that computer security is a contraction in terms. Over the past 12 months, cyber-criminals stole USD81m from the central bank of Bangladesh; the trade sale of Yahoo was almost derailed as it admitted to the biggest personal data breach in history affecting 1bn accounts and Hilary Clinton’s email server was hacked by Russians during the US Presidential Election. If it can happen to the former US Secretary of State, it can happen to you and me.

And the problem is about to get much bigger with the explosion of the Internet of Things (IoT) making them very vulnerable to cyber-attack and a very real threat to personal data protection and privacy.

Irrespective of what the IT industry claims, there’s no fool-proof way to make computers 100% safe. Software is now so complex that Google has around 2bn lines of source code, so errors will be inevitable. The average software program has 14 separate vulnerabilities, each of then presenting an illicit point of entry.

The EU General Data Protection Regulation (GDPR) makes data protection by design and by default law across all 28 Member States. That means any good or service offered within the EU that doesn’t comply with Art.25, GDPR will be unlawful and this presents a massive risk to business continuity that many commercial organisations still haven’t got on their risk register.

But setting minimum standards for data protection and privacy only gets you so far. Citizens need to be encouraged to take more responsibility and care over protecting their personal data and there will be a spate of Privacy Enhancing Tools (or PETs) that companies will offer their customers and clients in order to help them protect their personal data and privacy more easily.

For information about the GDPR Transition Programme at Henley Business School, click here.

Leave a reply