Sunday, May 22, 2011

Police in Paris probably doesn't have ISO 27001 in place

It is already three years ago that Flo was wandering through the streets of Paris. Thanks to him that he didn't forget to send us his observations from this tour through the city of love. The pictures he sent us have nothing to do with love, though.

What he discovered was this police station in the heart of the city. It looks quite fine at first, but an expert eye probably instantly sees what is wrong in this picture.

Chapter 9.2.3 "Cabling Security" of ISO 27002 states: "Power and telecommunications cabling carrying data or supporting information services should be protected from interception or damage."

I agree that the cable coming from inside the building, hanging just besides the video camera near the entrance is in a height that a 1,60 m tall woman or man cannot instantly catch it and get some data or video feeds. But, letting this cable reside on a nevertheless easy to reach position outside of the building is definitely a breach according to the above stated paragraph in ISO 27002.

So we might come to the conclusion that the police in Paris has not implemented ISO 27001 in their information security system. Probably they have, but then they should probably re-think their security strategy.

Making logout a bit more complicated

An established and most often applied design principle in the field of web application security is to provide users with a logout button on every page of an application. Ideally, this button is always in the same place so that users can leave the application with one click on a defined spot. Making logout as simple as possible and having users actually using the logout function leads to the prevention of a number of possible attacks. Cross-site request forgery, session hijacking or just someone using the same computer and thereby getting access to the session are a few examples.

However, some popular platforms seem to prefer making logout a bit more complicated. Google Mail and Facebook are just two examples:

As you can see, logout needs at least two clicks, which might leads to a decrease of the total number of users actually using the logout button. While this leads to a decrease in security, it also leads to an increase of privacy problems.

Popular platforms want your session to be established as long as possible, in order to be able to track which web sites you use and gather as much information about a person as possible. Social media plugins like the Facebook like button just come in handy in this process, as third party cookies and of course your current IP address are visible to the respective platforms when you access external sites with these plugins integrated. So long, happy tracking!