Basics of Security

This story in computing about the ICO investigating Tesco's security http://www.computing.co.uk/ctg/news/2199618/ico-to-check-out-tescocom-security highlights the need to start from the basics when implementing security.

The ICO is to start investigations after security bloggers, such as Troy Hunt, who have vented their dismay at what they claim are unsafe security practices used by Tesco.com.

They discovered

• loads  up some components in plain HTTP, not HTTPS
• the only passwords allowed by the website are weak, no more than 10 characters in length, with upper and lower-case characters treated the same. 
• according to error messages spewed by the site, it remains based on Microsoft IIS6 – which is now seven years old – and ASP.NET 1.1, which is nine years old.

One of the fundementals of security is keeping applications and operating systems fully up to date and patched. The Microsoft Product Lifecycle does not have information listed for IIS6, but IIS5 Extended Support end date was 13th July 2010, IIS was released with Server 2003 for which mainstream supported ended was 13th July 2010 and Extended Support is due to end 14th July 2015.

In July the Register reported http://www.theregister.co.uk/2012/07/31/tesco_website_insecurity/ Tesco in unencrypted password email reminder rumble where it still merrily emails passwords to punters in plain text has alarmed anyone with a grasp of computer security. The passwords are not hashed and salted, this is worse than the Linkedin Password policy where they where encypted but not with a salt value.

In December 2006 Tesco had a security breach http://www.channelregister.co.uk/2006/12/12/tesco_customer_security_flap/ involving customer data.

It appears Tesco's are not following some of the basic tenets of  Computer Security and it will be interesting to see what the ICO makes of their policies.