Menu Close

Passwords kill

Passwords kill.

Do you want my Password or a dead Patient?

During an on-site visit a colleague sent us the image below and this paper [1]; the paper is old but the days of authentication credentials being attached to medical devices is not dead. Probably never will be.

Cyber security efforts across many settings still confront workarounds and evasions by clinicians and employees.  They are not black-hat hackers or terrorists, but rather colleagues who are just trying to do their work in the face of often onerous and irrational computer security rules.

Healthcare is not alone. For many organisations, workarounds to cyber security are the norm, rather than the exception. They not only go unpunished, they can go unnoticed in most settings; most concerning of all, workarounds are often actually taught as correct practice, especially within isolated teams. [2]

Change is hard. Technology is relatively easy. People find attachment comforting so when you interrupt workflow you’ll be fighting business as usual and everyone’s relationship with it; your list of allies will quickly become very thin when you become the enemy for ‘getting things done’.

Security controls must obviously be addressed in concert with sociological, psychological and workflow issues.

The hard truth is our colleagues care more about their job than data security. 

It’s our job to help them learn to love their data too!

[1] J Blythe. R. Koppel, S.W. Smith. “Circumvention of Security: Good Users Do Bad Things” IEEE Security and Privacy. Sept/Oct, 2013. pp.80-83

[2] S. Sinclair and S.W. Smith, “What’s Wrong with Access Control in the Real World,” IEEE Security & Privacy, vol. 8, no. 4, 2010, pp. 74–77.

5 advantages of being single

5 benefits to being single

All businesses could do with a big KISS. Traditionally the acronym means “Keep It Simple, Stupid” but we prefer “Keep It Simple and Secure”.

This principle was brought to mind by the fact that nearly a month after the security issue with Fortinet Firewalls, the report via Ars [1] from Bishop Fox is that nearly 70% remain vulnerable and demonstrably exploitable [2].

The extent of patching inertia is not helped by there being 5 different active code branches across the product range, something which we work really hard to avoid.

Why? Well, we’ve picked out 5 reasons why a single monolithic codebase and SaaS delivery model delivers the best customer’s experience; there are many more.

1. Uniform Experience.

Whether you’re a customer integrating a feature via the DOQEX API, or a customer creating instructions or documenting workflow processes, the fact there is a uniform experience across all devices and platforms is a huge time saver for everyone. Besides, it’s makes for a less confusing user experience, the human condition often finds change unsettling, being consistent is nicer.

2. Stronger User Support.

A single codebase simplifies the support process, especially when new features are introduced or a new bug is introduced. Support agents are more familiar with the codebase and can understand the impact of new changes on existing functionality and can follow standardized processes and procedures. Responses are more consistent and informed, if we see an issue only with one customer we can quickly dive into client-side configuration issues and remediation.

3. Efficient Service Maintenance.

Super-fast security response, faster bug-fixes, faster feature roll-outs, consistent issue resolution. The devOps team has a simpler task in keeping services up-to-date meaning the risk of data breaches is reduced and the impact of bugs and patches are minimised.

4. Flexible Service Management.

Whether due to a new feature, configuration change or a change to workflow demand, DOQEX services will rapidly respond to changes. Elastic resource allocation is more effective and predictable since the operational performance demands are well-known. Customers experience better service availability, more flexibility and a simpler and more efficient process for managing change.

5. Compliance with Regulations and Standards.

A single codebase allows security tests, certifications and assurances to apply everywhere and benefit everyone. The process of gaining assurance that a service is compliant is fast, simple and unambiguous. This saves our customers time, builds trust and avoids potential penalties.

Privacy in Peril: The UK Online Safety Bill

Privacy in Peril: The UK Online Safety Bill

Critiquing the UK Government’s Online Safety Bill

Privacy is a fundamental human right, essential for the functioning of a democratic society. However, the UK government’s proposed Online Safety Bill [1] has sparked concerns among privacy advocates and citizens alike. This legislation, although aimed at ensuring online safety instead threatens to erode our privacy rights and grant the government unprecedented control over our digital lives. In this article, we critically examine the potential implications of the Online Safety Bill and highlight the dangers of an increasingly authoritarian approach. <!–more–>

A Step Too Far: Government Surveillance and Censorship.

While the intention behind the Online Safety Bill may be to protect individuals from harmful content and online abuse, its provisions grant the government sweeping powers to monitor and regulate online platforms. Under the guise of ensuring safety, the bill empowers authorities to surveil citizens, stifling free expression and privacy in the process.

The bill’s proposal for the creation of a regulatory framework that requires companies to remove or block “harmful” or “disinformation” content introduces a dangerous precedent. Such subjective terms open the door to potential abuse, as the definition of what constitutes harmful or disinformation can be subject to interpretation and political bias. This risks creating an environment where dissenting voices and minority opinions can be silenced, undermining the principles of free speech and democratic discourse.

Unprecedented Data Access and Retention.

One of the most concerning aspects of the Online Safety Bill is the provision granting law enforcement agencies expanded powers to access and retain individuals’ online communications data. This move raises serious questions about the proportionality and necessity of such invasive measures. Granting authorities broad access to private communications not only undermines trust but also places innocent individuals at risk of unwarranted surveillance and potential misuse of personal information.

Furthermore, the bill’s requirement for online platforms to implement technical measures enabling government surveillance poses a grave threat to end-to-end encryption, which is a vital tool for protecting users’ privacy and ensuring secure communication. Weakening encryption for the sake of surveillance compromises the cybersecurity of individuals and creates vulnerabilities that can be exploited by malicious actors.

Leaders at What’sApp, Signal and other tech firms are worried and appeal to us in their open letter of April 2023 [2] to be concerned about the risks posed by the bill.

Chilling Effects on Freedom of Expression.

The Online Safety Bill has the potential to create a climate of fear and self-censorship. Knowing that their online activities are being monitored, individuals may be hesitant to express their opinions openly or engage in controversial discussions. This erosion of freedom of expression undermines the diverse and inclusive nature of democratic societies, stifling innovation, creativity, and societal progress.

The Need for Transparency and Democratic Oversight.

The proposed Online Safety Bill lacks adequate safeguards to protect against abuse of power. The government must ensure transparency, accountability, and democratic oversight in the implementation and enforcement of the legislation. Clear guidelines must be established to prevent the bill from being weaponized against dissenting voices and marginalized communities, inadvertently enabling an authoritarian regime under the guise of online safety.

Conclusion.

The UK government’s Online Safety Bill raises significant concerns about the erosion of privacy, freedom of expression, and democratic values. While the intention to protect citizens online is commendable, the proposed measures grant authorities excessive powers, jeopardizing the fundamental rights that underpin our society. It is imperative that the government reevaluates the bill, incorporating robust privacy protections, democratic oversight, and clear definitions of harmful content. Upholding both online safety and individual privacy is not an either-or proposition, but a delicate balance that must be achieved through thoughtful legislation and respect for fundamental rights.

EC “All your data belongs to US”

EC arbitrarily rules for US tech firms.    Again. It won’t stick.

The European Commission decided today [1] that the United States is once again a safe country for your data. 

The decision has sent shockwaves through the data protection community and completely ignores the obvious problem with the privacy and security of data processed within US companies. 

It is no secret that the U.S. legal framework for data protection falls completely short of our GDPR’s rigorous requirements. There is no federal privacy legislation and the US government’s legal right to all data leads to the pervasive surveillance practices employed by U.S. intelligence agencies.   Tech giants Meta and Alphabet demonstrate where the balance of power and interest lie, they are not among the wealthiest entities in human existence on the back of a business model which keeps data private.

For the political appointees of the European Commission to (once again [2]) decide to allow US firms to monetise the EU population completely avoids the reality of the situation, namely, there has been no change to US or EU law.  The US measures are not equivalent to GDPR.   The EU Court of Justice will rule as such in due course however, unless you’ve stock in a US tech firm, it’s a waste of energy for this merry dance between the EU Court of Justice and the Commission to go around once again.

In the meantime the European Commission’s decision places another burden on CISOs and DPOs. There are thousands of active projects moving data to EU residency and GDPR adequate services, these cannot safely stop.  The laws either side of the pond haven’t changed and the EU Court will strike the bureaucrat’s decision down in a repeat of Safe Harbour [2]; hopefully the process will be quicker this time around.

This latest decision seriously undermines the efforts of organisations that have invested significant time and resources in implementing data protection measures aligned with the GDPR. We urge CISOs and DPOs not to change tack and guarantee that our data will not transfer to a country that will not protect our data.

Whilst the European Commission are happy to have given away our trust, the management, officers and legal teams within our suppliers, employers and business partners must remain true to the standards and rights we all expect and enjoy.

Whose browser is it anyway?

Whose browser is it anyway?

For most of us, our web browser remains our primary “window upon the world”, so it’s important we can trust it.

There isn’t much choice.  You are nagged and pushed to use the browser the platform vendor wants you to use and, in most circumstances, the purpose is that the vendors get to use and sell your search data.

Disturbingly, starting from 4th July (happy Independence Day to our US friends) and version 115 115, Firefox can silently and remotely disable extensions within your browser.

The release notes say “ We have introduced a new back-end feature to only allow some extensions monitored by Mozilla to run on specific websites for various reasons, including security concerns.”

For various reasons.” That’s quite uninformative and mysterious.

We are all in favour of providing users control over which extensions are allowed to load on which sites (this is already present in Safari) but this isn’t that, Mozilla has now given itself the ability to control that and decide for itself.

This isn’t about extension misbehaviour. Since Mozilla has to analyse and cryptographically sign extensions before they can be installed in Firefox, it’s unclear why there should be a list of domains where only Mozilla chosen extensions can operate. Mozilla’s opacity and vagueness here feels almost deliberate.

We don’t like extension monopolies any more than browser monopolies.

This undermines our trust.

Whose email is it anyway?

Whose email is it anyway?

Microsoft has once again changed Exchange Online and it feels increasingly hostile.

If you thought the internet was democratic, with open and published standards, you’d be forgiven for thinking that Microsoft disagree.  Perhaps it really is better that they decide how email works. Not just your email but everyone’s.

It’s gone rather unnoticed but Microsoft have changed Exchange Online [1]  so that you (as paying customers) no longer have full control over your Smarthost connections. The Microsoft back-end team are now the sole arbiters; they decide who you can connect to and who can relay mail to you.

Apparently the reason is fraudsters and hackers; however if hackers are such a problem, why do Exchange Online (EOL) connections still not allow full-TLS from inception? Yes really!

In our opinion this is about making it harder to use 3rd party email services. By grabbing control over email and reducing options for customers it will boost revenue for add-on exchange services.

Despite this DOQEX services are ahead of the game and have designed the DOQEX Email Gateway so that integrations with Exchange Online will still pass their hurdles and be enabled by the Microsoft back-end team.

No doubt the goalposts will move again however DOQEX will continue to deliver proper security, choice and expertise on our own merits – not that of a monopoly.

Where do product features come from?

Where do product features come from?

Friday, 15:30 > our brand new customer has a problem:

The shiny new cloudy CRM system is full of essential data that the rest of the business really needs on the internal customer data platform (you know – that one that only supports SFTP or manual uploads).

Their solution? “Call that new data portal supplier (that’s us!) – they’re more responsive than the CRM vendor.”

Our solution? Build shiny new features!

This is one of those stories that could have a humorous tagline on The Register. We were two weeks into a relationship with a new customer, and things were going well; they were happy, and we’d started talking to them about adding email integration.

However, we didn’t expect the next step to be a call late on a Friday afternoon asking us if we could help out with a data transfer problem. Probably, we said, but it turned out that we couldn’t – at least not immediately.

We learned that the source was a cloud-based CRM system, with a delightfully easy-to-use API built in which did everything they needed to create the data. They already had code calling the API to generate reports which their staff could download, then manually transfer internally, but they needed that to happen automatically as well as being able to share it with other teams.

DOQEX includes Virtual File Stores (VFS), which can be used to interface with and transfer data between various types of system; unfortunately the cloud CRM wasn’t one of them.

During a three-way call, we found the API could do a callback when a report was generated; we added a hook to our workflow engine, making it available to our VFS as a source and therefore available inside DOQEX for sharing.

It should have been easy from there – we already support SFTP, and they needed the files sent to them via SFTP, and we have file-forwarding specifically for situations like this. It’s rarely that straightforward with legacy systems though. This one had no support for the (modern, secure) cipher suites we support for SFTP, making it a fairly significant risk in our eyes!

The end result? We built in a VPN client system, which makes their DOQEX service look like one of their staff connecting to their network, enabling it to talk directly to their internal system without having to fall back to plain FTP.

So, this is where DOQEX answers the question: Customers!   

As far as DOQEX is concerned every feature in the service is there because a customer needed it.   The new VPN and VFS features became available across our entire DOQEX estate.   Our unitary codebase is not only more secure and manageable, it’s essential to make new features like this available to all our customers. 

How not to be confusing

How not to be confusing

“It’s not changed in years… ” said Mike from devops, “the process is the same.”

Just click the link, dismiss the warning, click run, click ignore, scroll down, accept the terms, enter your email address, create a password and then reply …”

So, how many people used the securemail service last year? Clients have been emailing the contact address with their data.” asked the CIO.

we won’t get useful stats without the A3 upgrade and audit module” said Mike, “perhaps the reason why clients keep emailing us their personal data is because the current process doesn’t support mobile devices, it was only a stop gap whilst we waited upon budget to extend the order system.”

This is a conversation we were party to at a client before they started using DOQEX.

The CIO was rightly concerned that customers were emailing finance information to an address scraped from the corporate website despite being sent links to a webmail platform. Applications were slow and there were errors; a poor experience all round and it was hurting business.

We suggested direct login links. These are configurable links to one of the client’s own domains which are instantly more trusted than one from a random US software vendor. Customers simply click the link and their inbox to a client-branded webmail portal opens in a browser. The links can be styled as a button and TTL, IP and use-bound admin controls applied.  It’s all cross platform and device agnostic.  There are no plugins, passwords or usernames required.

All the client had to do was create a dns record and forward email via the DOQEX email gateway service.  We would manage the rest.  Audit trail and API included.

Mike was sceptical at first, he only needed budget for another 12 weeks of team time before they could beta-test data collection requests via the order system. It only took a few hours exploring our API playground before Mike was confident they could add data request features to their order system, using just 6 lines of code!!  Success.

I want more emails

“I want more emails”, said no-one ever.

Keeping track of user activity can be a fun task for Data Protection Officers. Add in another system to that, and your inbox load keeps going up. We helped a struggling DPO team reduce their workload with new reporting and summary features.

DOQEX keeps audit records for anything involving viewing, changing, sharing, or adding data. It’s very flexible, and can also email you when any of these things happen. This had been working successfully for a DPO at one of our customers for a few years – seeing an email whenever data they cared about was accessed.

Unfortunately, things changed one week when they added another 20,000 customers to the service. The email alerts from our system, while still useful, became overwhelming for the DPO. Things needed to change.

Fortunately, we care very much about feedback from our customers. We set up a meeting, and within a week we had a solution ready; a special new report was created, that would summarise all the information the DPO needed. They could just log in and view this whenever they wanted.

This worked fine for a few weeks, but everyone knows it’s hard to form new habits. The DPO was forgetting to log in and get their report. Could we add some way for them to receive it automatically? No, we said (we like to be helpful): there’s already a button for that. Any report can be run on a schedule and emailed to whoever needs it.

Incidentally, the new report also became available to all our other customers as well.

 

How to ask nicely

How to ask nicely

Recently, a customer of ours (let’s call him John) needed a way to collect data from thousands of different people. These weren’t people his team already had a relationship with, and we knew they weren’t likely to be very technical; so, where do you start?

People are more aware than ever about the risks of clicking on links in emails – particularly John’s new user base, who were mainly retired and not very technical. John’s team knew these people would be expecting some contact from them to kick off their relationship, but he also knew that the whole process needed to be short, clear and concise – keeping the amount of support calls low and avoiding people going elsewhere.

John’s CRM was set up with the contact data for all of these people, and they’d created an initial email for the onboarding process – however, this needed the new customers to reply to the email and attach a load of files, including sensitive stuff like pictures of driving licences.

John’s team were already using DOQEX for sharing sensitive B2B data with their suppliers. He asked us if we could integrate with his CRM and capture the files being emailed back.

We were a bit concerned about people emailing the wrong things, or sensitive data getting lost along the way, so we suggested they add our Email Gateway system to their DOQEX service. This way, we could intercept all the emails from this CRM campaign, without needing to make any changes to their legacy system, and modify the emails to include a few short words and a link to their fully white-labelled DOQEX service. This gave their new users a sense of security from start to finish – the email came from them, and the link went to a branded service under their domain name.

The file upload page was linked to each email, so we could easily link uploaded files to individual users, and send this information back into John’s team without it ever being transmitted in the clear.

One of John’s management team was a bit concerned about this approach, so we ran an A/B test across a few hundred users: around 7% responded with the “please email files”, but they got an 84% success rate with people using the upload portal. Success!