Security blind spots: It turns out they’re everywhere on the web.

sbsIt seems like there’s a story every other day about security breaches affecting e-commerce sites and other websites where consumers congregate.

And now we have quantification of the challenge. Ghostery, a provider of apps that enable consumers to identify and block company tracking on website pages, has examined instances of non-secure digital technologies active on the websites of 50 leading brands in key industry segments like news, financial services, airlines and retail.

More specifically, Ghostery was looking for security “blind spots,” which it defines as non-secure tags that are present without the permission of the host company.

What it found was that 48 of the 50 websites it studied had security blind spots.

And often  it’s not just one or two instances on a website. The analysis found that retail web pages host a high concentration of non-secure technologies:  438 of them on the Top Ten retail sites it analyzed (companies like Costco, Kohls,, Target and Walmart).

Financial services sites are also hit hard, with 382 blind spots identified, while airline websites had 223 instances. And they’re often present on the pages described as “secure” on these websites.

Scott Meyer, who is Ghostery’s chief executive officer, had this to say about the situation:

“Companies have very little understanding of what’s happening on their websites. The problem is not with any of the company’s marketing stacks, it’s with their own tech stacks.  What these companies have now is marketing clouds, not websites, and they’ve gotten complicated and hard to manage.”

Scott Meyer, Ghostery CEO
Scott Meyer, CEO of Ghostery (formerly The Better Advertising Project and Evidon).

There was one leading brand web site that came off looking squeaky clean compared to the others: Amazon.  “Amazon is incredibly sophisticated; others are not,” Meyer noted.

The implications of avoiding addressing these security blind spots could be seriously negative. Bot networks often use non-secure technologies to gain entry to websites.  Google is indexing company websites higher in search engine results based on their security ratings.

It makes it all the more important for companies to audit their websites and set up system alerts to identify the non-secure tags.

For the leading brands in particular, they just need to suck it up and do it for the benefit of their millions of customers.

Computer security measures: A whole lot of heat … and very little light?

Cyber-security ... how effective is it in relation to the all the effort?If you’re like me, you have upwards of two dozen sets of user names and passwords associated with the various business, banking, shopping and social media sites with which you interact on a regular or occasional basis.

Trying to keep all of this information safe and secure – yet close at hand – is easier said than done. More often than not, passwords and other information end up on bits of paper floating around the office, in a wallet … or in (and out of) your head.

And to make things even more difficult, if you paid attention to conventional advice, you’d be changing those passwords every 30 or 60 days, making sure you’re following the guidelines regarding creating indecipherable permutations of numbers, letters and symbols so as to throw the “bad guys” off your password’s scent.

Now, here comes a paper written by Dr. Cormac Herley, principal research analyst at Microsoft Corporation, that calls into question how much all of this focus on password protection and cyber-security is really benefiting anyone.

Dr. Herley’s paper is titled So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. In it, the author contends that the collective time and effort involved in complying with all of the directives and admonitions regarding computer security add up to far more cost than the cost of what is actually caused by cyber-security breaches.

[For the record, he estimates if the time spent by American adults on these tasks averages a minute a day, it adds up to ~$16 billion worth of time every year.]

Here’s a quote from Herley’s paper:

“We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice, we find that the advice is complex and growing, but the benefit is largely speculative or moot.”

It would be one thing if this screed was written by some outré blogger operating on the fringes of the discipline. But it’s coming from a senior researcher at Microsoft.

To illustrate his point, Herley summarizes the whole area of password rules, which he contends places the entire burden of password management on the user. To wit:

 Length of password
 Password composition (e.g., letters, numbers, special characters)
 Non-dictionary words (in any language, not just English)
 Don’t write the password down
 Don’t share the password with anyone
 Change it often
 Don’t re-use the same passwords across sites

How much value each of these guidelines possesses is a matter of debate. For instance, the first three factors listed above are not consequential, as most applications and web sites lock out access after three or four incorrect tries.

Changing passwords often – whether that’s quarterly, monthly or weekly – is never often enough, as any attack using a purloined password will likely happen within a few seconds, minutes or hours of its acquisition, rather than waiting days. On the other hand, for users to change their passwords regularly requires time and attention … and often leads to frustration and lost productivity as people hunt around for the “last, best” misplaced password they assigned to their account.

And as for those irritating certificate error warnings that pop up on the computer screen with regularity, Herley contends that most users do not understand their significance. And even if they did, what options do people have when confronted with one of these warnings, other than exiting the program?

As it turns out, there’s not much to fear, as virtually all certificate errors are “false positives.” With certificates as well as so many other issues of cyber-security, Herley maintains that the dangers are often not evidenced-based. As for the computer users, “The effort we ask of them is real, while the harm we warn them of is theoretical,” he writes.

Herley’s main beef is that all of the energy surrounding cyber-security and what is asked of consumers is a cost borne by the entire population … but that the cost of security directives should actually be in proportion to the victimization rate, which he characterizes as miniscule.

An interesting prognosis … and a rather surprising one considering the source.