Good security is about risk management, communications, updates and upgrades, quality assurance, and testing. This section attempts to contribute to the communications part, by providing some background to the most common and significant security risks on the Internet today as they apply to Back2Front clients and users of the ABC.
Email and Forms:
Many people are not aware of the security risk of using email. On the Internet, there is a technique called 'sniffing', which is similar to what we know in the regular world as phone-tapping. Security conscious people know that a phone conversation is prone to tapping: That is, anyone, anywhere along the length of the wire connecting the two parties can attach a wire-tapping device that allows them to listen, unnoticed, to the conversation taking place.
The Internet works the same way, where a hacker, using a sniffing device, can listen in on a data transmission from anywhere along the network wiring that connects the two parties. The difference on the Internet is (1) accessibility to the public, and (2) efficiency through automation. Email is especially prone to this technique because (1) it is a very common protocol; (2) it is usually unencrypted; and (3) it uses simple text transmissions, which are easy to scan automatically.
Many forms on typical web sites are simply front-ends to an email client: That is, submission of a form results in an email being sent. Many services on the web communicate account information, including logins and passwords, via email. Many services and companies rely on email to authenticate users and verify their identity. This includes web site companies, banks, even government offices. All this despite the inherent insecurity of email, and how relatively easy it is to fake, modify, and/or hack into.
Given how commonly private information is transmitted via email, it seems almost futile to make an effort to secure this information at a higher level, when the weakest link - email - so often undermines all this effort in the end.
Databases and other storage facilities accessible via the public Internet are common hacker targets. Unlike email, which is transient, storage facilities are a target available over a long period of time for patient hackers to search for compromises and attack. So while private information transmitted via email is probably easier to get at - if you happen to be listening to the right transmission at the right time - in the long-term, data storage facilities often pose a higher risk.
A company storing private information is caught between two seemingly conflicting requirements posed by privacy laws: Protect the information (from the general public), and make the information available (full disclosure to its owners). Getting both of these requirements satisfied, at the same time, and doing it well, is an on-going challenge. In addition, on-going development and maintenance on the storage system inevitably introduces bugs and other compromises which hackers will inevitably exploit given time.
The bottom line is, no matter how security conscious - even paranoid - a company is, and no matter how secure they feel, or you feel, your private information is on their systems, every system is vulnerable. Security is about managing risk, which means doing the best you can, given available resources, to identify and reduce the probability and extent of unwanted data exposure.
So, bearing all this in mind, though Back2Front slaves constantly over the protection and security of data we store, we cannot be held liable for any data exposure resulting from malicious attack, security compromises, bugs, carelessness, or any other source of security risk.