Spanair 5022 (from Wikipedia)

It has been over 2 years since Spanair Flight 5022 crashed, killing 154 people. MSNBC recently released this article, which mentions that undetected malware could be to blame. As the world becomes more technology dependent, we need to take more steps to ensure safety. It is simply not responsible to allow systems to be interconnected without putting appropriate safeguards in place.

This incident is emerging proof that we live in a world where security sensors and checks on computer systems could mean the difference between life and death. Even in a perfect world (without malware and threats) we would still need to worry about human error and software malfunction.

Can we stop all malware? No. But we can take steps to minimize the impact of malware and reduce risk wherever possible. Monitors and machines that support life or even affect life are obviously those with the highest risk and should operate under the most stringent integrity checks.

In this particular case, the medium with the malevolent payload was a USB thumb-drive. This form of removable media could have been infected with malware, thus infecting the entire system. This leads us to ask: What are the security policies in place at this airline? What are the security policies at any establishment where lives are at risk?

This is a great time to reflect back on the nature of your own organization and think about the systems that you are running. Does your computer network handle systems that could harm others? Does it hold private or confidential data about your company or more importantly, your customers? If so, it might be wise to consider the risks associated with introducing foreign media onto the network.

Secure Certificates Explained

Let’s look at this in a real-world scenario. Say you’re looking to buy a book on web design, and as such, you go to the king of online book retailers, Amazon.com. You select your book, add it to your cart, and click “check out”. You’re about to be taken to the part of the website that asks for your private information such as name, address and credit card number.

Once you arrive at this point, you’ll notice that some interesting things have happened in your browser. First, your address bar will show “https://…” instead of the normal “http://…”. The extra “s” denotes that we’re using the secure HTTP, or SSL protocol. You’ll also notice that somewhere in your browser, an icon of a padlock appears. This also signifies that you’re on a secure website. With most browsers, clicking the padlock will bring up the secure certificate details of that site.

So, what happened here? When you moved to the checkout portion of Amazon’s site, You connected to its secure website. In doing this, your web browser opened an encrypted connection to Amazon’s server, a process that prevents a malicious user from eavesdropping on the information you’re sending to Amazon, such as your credit card details. Once you’re connected, Amazon sends your browser its secure certificate, which is an electronic document proving its identity. Your computer verifies this document with a “trusted third party”, typically the company that Amazon bought their certificate from. Basically, this company is vouching for Amazon. Your browser is happy, and you proceed with buying your book.

Do I Need a Secure Certificate?

The quick answer is, it depends. If your website is purely informational and nobody is submitting data on it, you probably don’t need one. If visitors are submitting personal information to you, or if you’re running an online store, chances are that you need a secure certificate. Think about it this way: instead of typing in data on a website, someone is shouting the information to you on the streets of New York City, where hundreds may be listening. If you’re worried about others hearing that information, you need a secure certificate.

How Do I Purchase a Secure Certificate?

Many companies sell these services. We recommend VeriSign and GoDaddy. Both are extremely popular. Although GoDaddy’s certificates are priced significantly lower than VeriSign, there is barely any quality difference.

If you have any questions, or if you’re still not sure whether or not you need a secure certificate for your website, feel free to contact us. We’d be happy to help.