Lifetime Warranty: Data & Identity

Living in a neighborhood replete with tall, deciduous trees, when the opportunity arose I had “gutter covers” installed around the house. When once one of those tall trees decided to attack the house, I remembered the “lifetime warranty” that came with that installation. Sure enough, it was for the lifetime of that company, which — naturally — no longer existed.

There’s a bit of chatter around Twitter today regarding a decision to purge idle accounts. The details apparently aren’t firm yet, but the vagaries include “sometime next month” and “accounts that have no login in the last six months.” One of the voiced benefits: freeing up account names so they can be reissued.

Two angles appeared immediately:

  1. Identity Management. People and organizations have identity, reputations, and relationships linked to their names. When the names change, we start over, for better or worse carrying little if any notoriety between the names. Similarly, should someone move in and claim our names, they have the opportunity to claim our identity, our reputation, and our relationships. Sometimes it’s “Under New Management!” Other times, the havoc of identity theft ensues…
  2. Data Management. TOS’s and EULA’s be damned! When you place your data and communications into another organization’s hands, you are implicitly accepting the risk that your data will be lost, stolen, compromised, abused, used for purposes other than you intended, etc.; and you are implicitly accepting the risk that that access switch will be turned off without a moment’s notice. What now?

Yes, “what now?” indeed…

In the Twitterverse, I’ve seen the first “What about my deceased dad’s tweets?” questions. “I like to visit them from time to time to remember our conversations, but I don’t have a login to his account!” Extend this to every other data service that relies on a third party to accept, hold, and present data that means something to you: Facebook, Instagram, YouTube, email, blogs, websites, data storage, …; then remember that your rights to all of that are as thin as the clause that allows the provider to change the agreement at their leisure.

How about identity? I shared with you in a recent post seeing a text message from my friend that was actually from his wife, yes? When large numbers of our interactions are not face-to-face anymore, let alone in our own “voice,” we become quite comfortably conditioned to accept that email accounts, text messages, twitter handles, and everything else are natural extensions of the person or entity that we trust. (Conversely, it is easy to assume that an email account, text message, twitter handle, or anything else is not from an individual we trust if we have not previously associated them with the individual ~ but that’s a post for another time…) The bottom line? These chains of trust are often easily broken, and once broken they are easily exploited.

What to do? Well, in our perspective it boils down as usual to risk analysis. For each piece of data, for each service you use, ask what it would mean to you if it was gone or compromised. Do you have your cloud data backed-up locally in some intelligible format? Do you have the sensitive stuff protected even in the cloud? Do you have alternatives available to provide those basic services like group / family communications, email, instant messaging, and telephony? Are your peers aware of your plan and know how to fail over to the alternatives? Do you have methods in place to authenticate one another, verifying identities periodically and especially before discussing important matters when not face-to-face, so you know you’re communicating with the right person? Do you have a strategy to signal that the communication channel is not secure, to switch to alternative channels, or even to indicate on the sly that you’re in distress?

Some of that may seem far fetched. If so, good! Maybe you’re one of the ordinary folks who may never encounter these problems. The items are not in your threat modeling, or they are in your threat modeling but you estimate it’s extremely unlikely that you’ll be impacted catastrophically if it does. That is a completely reasonable outcome of thoughtful risk analysis. On the other hand, if any of the threats resonate with you and you haven’t given any thought to handling them, well, good! That’s also a completely reasonable outcome of thoughtful risk analysis, and now you know where to focus your efforts.

Our role? Helping people and organizations open their eyes to the possible threats — particularly those in their blind spots — and helping with remediation strategies where warranted. We make posts like these freely and communicate the same everywhere, and we offer to confidentially review your situation as a service. Take a stab at the exercise yourself, then contact us for an outside assessment.

Not by Encryption Alone

Did you notice the slight of hand, though? How is that we can see the plaintext in the exchange? Via a screen recording, of course!

I always enjoy seeing this GIF from the EFF’s “Surveillance Self-Defense” page (link) demonstrating end-to-end encryption:

The tool they’re showing is pretty cool. Here, they’re making the point that transport layer security — the browser lock business in this case — is not enough to protect a message between two people, while adding end-to-end encryption ensures that the message is not readable at any intermediate hop in the transmission path. It’s pretty clear in the demonstration, yes?

Did you notice the slight of hand, though? How is that we can see the plaintext in the exchange? Via a screen recording, of course!

Encryption is an important component of any information security strategy, but it’s just that — one component. There is always the concern that, if the data is to be useful, at some point it will have to be decrypted and the contents rendered. If that rendering process is somehow compromised? If the decryption keys were exposed? If the device was recording keystrokes of the user entering a passphrase? …? Suddenly, no matter how sophisticated or strong the encryption is, it’s all for naught — the system is potentially broken.

Data protection is best handled with a holistic systems view of your operation and with pragmatic risk management. Consider how the data is collected or generated, and how it is processed. Consider how it is stored and how it moves within your system. Consider who should have access and how that access is restricted. Consider the devices used to access, consume, analyze, enrich, and retransmit the data, as well as the software and systems present in those devices. Consider the environments where use those devices are used, what would happen if the device was out of their hands, improperly accessed, or lost. Consider what could happen if the system came back and rejoined a trusted network.

Are you confident you’ve taken sufficient protective measures so that you can survive the hit if something goes awry? On the flipside, are you concerned your strategy has gone overboard? Too complex or too expensive?

Think it through — and, if you need an outside set of eyes to review what you have in place, feel free as always to contact us.

Security: It’s not a joke.

Browsing through INFOSEC social media, I spotted a post picked up by the community gaining some traction. Content?

The people most afraid of being spied on are secretly hoping they’re interesting enough to be.

Some Jackass on Twitter

Right… so what about “nobodies” like these?

  • Reporters
  • Dissidents
  • People in abusive relationships
  • People with oppressive employers
  • Victims of identity theft
  • People with medical conditions
  • People with socially unpopular lifestyles
  • Victims of data compromises all of the way up to the OPM level.

Maybe it’s just “locker room humor” inside the INFOSEC echo chamber ~ who knows? Still, there are three points to consider:

  1. The INFSOSEC community historically uses fear to raise awareness, to maintain vigilance, and undoubtedly to drum up sales as well. The profession inspires paranoia.
  2. People and systems are watching you. It may not always be personal, and it may not always be with hostile intent, but systems are actively working to monitor, characterize, and profit from your activity. [Insert targeted ad here.]
  3. There are plenty of nobodies who actually are targets of personal, hostile monitoring.

The community can do better:

  1. Focus on proper risk management: Consider the client’s situation and what the client wishes to protect. Consider the potential threats, the likelihoods of compromise, and the estimated costs of damages. Consider mitigation strategies and costs. Formulate a plan accordingly.
  2. From time to time, give back: Use your skills developed in corporate and government environments to help those nobodies and communities.
  3. Read-up on and support organizations such as the Electronic Frontier Foundation (EFF, external link), a non-profit focused on digital privacy, freedom of speech, and associated technologies. As of this morning, their front page story is related to stalkerware. Check their page “Surveillance Self-Defense: Tips, Tools and How-tos for Safer Online Communications” (external link), an invaluable resource.

And as always, if you need additional help, contact us.