Not by Encryption Alone

Did you notice the slight of hand, though? How is that we can see the plaintext in the exchange? Via a screen recording, of course!

I always enjoy seeing this GIF from the EFF’s “Surveillance Self-Defense” page (link) demonstrating end-to-end encryption:

The tool they’re showing is pretty cool. Here, they’re making the point that transport layer security — the browser lock business in this case — is not enough to protect a message between two people, while adding end-to-end encryption ensures that the message is not readable at any intermediate hop in the transmission path. It’s pretty clear in the demonstration, yes?

Did you notice the slight of hand, though? How is that we can see the plaintext in the exchange? Via a screen recording, of course!

Encryption is an important component of any information security strategy, but it’s just that — one component. There is always the concern that, if the data is to be useful, at some point it will have to be decrypted and the contents rendered. If that rendering process is somehow compromised? If the decryption keys were exposed? If the device was recording keystrokes of the user entering a passphrase? …? Suddenly, no matter how sophisticated or strong the encryption is, it’s all for naught — the system is potentially broken.

Data protection is best handled with a holistic systems view of your operation and with pragmatic risk management. Consider how the data is collected or generated, and how it is processed. Consider how it is stored and how it moves within your system. Consider who should have access and how that access is restricted. Consider the devices used to access, consume, analyze, enrich, and retransmit the data, as well as the software and systems present in those devices. Consider the environments where use those devices are used, what would happen if the device was out of their hands, improperly accessed, or lost. Consider what could happen if the system came back and rejoined a trusted network.

Are you confident you’ve taken sufficient protective measures so that you can survive the hit if something goes awry? On the flipside, are you concerned your strategy has gone overboard? Too complex or too expensive?

Think it through — and, if you need an outside set of eyes to review what you have in place, feel free as always to contact us.

Security: It’s not a joke.

Browsing through INFOSEC social media, I spotted a post picked up by the community gaining some traction. Content?

The people most afraid of being spied on are secretly hoping they’re interesting enough to be.

Some Jackass on Twitter

Right… so what about “nobodies” like these?

  • Reporters
  • Dissidents
  • People in abusive relationships
  • People with oppressive employers
  • Victims of identity theft
  • People with medical conditions
  • People with socially unpopular lifestyles
  • Victims of data compromises all of the way up to the OPM level.

Maybe it’s just “locker room humor” inside the INFOSEC echo chamber ~ who knows? Still, there are three points to consider:

  1. The INFSOSEC community historically uses fear to raise awareness, to maintain vigilance, and undoubtedly to drum up sales as well. The profession inspires paranoia.
  2. People and systems are watching you. It may not always be personal, and it may not always be with hostile intent, but systems are actively working to monitor, characterize, and profit from your activity. [Insert targeted ad here.]
  3. There are plenty of nobodies who actually are targets of personal, hostile monitoring.

The community can do better:

  1. Focus on proper risk management: Consider the client’s situation and what the client wishes to protect. Consider the potential threats, the likelihoods of compromise, and the estimated costs of damages. Consider mitigation strategies and costs. Formulate a plan accordingly.
  2. From time to time, give back: Use your skills developed in corporate and government environments to help those nobodies and communities.
  3. Read-up on and support organizations such as the Electronic Frontier Foundation (EFF, external link), a non-profit focused on digital privacy, freedom of speech, and associated technologies. As of this morning, their front page story is related to stalkerware. Check their page “Surveillance Self-Defense: Tips, Tools and How-tos for Safer Online Communications” (external link), an invaluable resource.

And as always, if you need additional help, contact us.

Roll Your Own? Why not?!

In today’s news, there are revelations, allegations, and speculations of commercial VPN compromises. In at least one case, it seems the access to the VPN server came through the cloud hosting provider’s administrative access to the hosting hardware. In that case, with root access, public certificates together with their private keys used by the service were accessible for a few months before the cert expired.

That paragraph contains enough fuel to fill an INFOSEC proponent’s life with glee ~ page one of a veritable “choose your own adventure” novel: Which thread would you like to pull? The obvious one is how wildly these commercial VPN providers promote how secure they’ll make you — often leading one to believe that security extends a bit beyond the scope of what a VPN provides — and here they are in the news. Karma… people do love that “pride before the fall” business, don’t they? Here’s a less shiny thread that should have industry scratching their heads: What if the VPN provider did everything technically right, but it was the cloud / hosting provider’s security breach that allowed the compromise? Has your organization considered that angle for cloud security? Do your contracts pass liability to the hosting provider? If so, would it really make a difference once your brand takes the black eye?

Stuff worth considering. Anyway, for me, it was something different. It was a blowhard’s Twitter thread seemingly mocking other people’s advice to roll your own VPN service. People piled on and then one person escalated with “‘stand up your own VPN service’ is the new ‘stand up your own email server.'” Naturally, anything near that fire ignited as well. Soon there was, “Why not stand up your own ISP?” “Why not create your own internet?” “How about a WISP?” “How about those mesh networks?” “Why not roll your own crypto?” Etc.

Sigh… “Celebrity shit-posting” and the anti-intellectuals hopping on the bandwagon. Who benefits from it all? Not our clients, that’s for sure.

So, for each of those “Why not?” assertions that cause actual SMEs to cringe, let’s instead ask “Yes, why not indeed?” in response:

  1. Why not stand up your own VPN? Whether your objective is to tunnel your traffic out and away from the coffee shop or the airport lounge, or if it’s to reach your files at home or your servers at the office, a private VPN is absolutely a correct answer. It is simple enough to do, it’s completely private. The up front costs are between $0 and $50 and the recurring costs are likely between $0 and $10 per month depending on the complexity and what you want to accomplish. Odds are that you’ll be using the same software components that the commercial folks are buying.
  2. Why not stand up your own email server? The code bases for the two or three major software packages have been stable just about forever and are still actively maintained. They’re proven and they’re battle hardened. You can keep your data close by and controlled.
  3. Why not create your own ISP? Internet? WISP? Mesh Network? Were you even aware it was possible? Your cheap wireless firewall router box from Walmart essentially sets up a private network in the house wherein you can set up websites, file servers, email servers, and whatever else you like and make them all accessible to anyone on that network. Everyone in the neighborhood could do the same. If they’ve got something cool they want to share, we just need to establish a network link to join them and a mechanism to route the connections back and forth. Maybe that’s a router and a wireless connection that everyone on the cul-de-sac can see. How about a few houses up the block where the signal is a bit weak? What if the house just before it could relay the signal? So far, nothing has touched the internet-proper at all. Here’s the thing: Communities are doing this. Places without internet access have travelers bringing back copies of websites on a thumb drive to be added or updated to the isolated network — how cool is that? Under-served communities are setting up their own Wireless ISPs to ensure that families and businesses can get a signal where Comcast and Verizon don’t believe it’s worth going. Cities are standing up their own public ISPs to ensure a base level of services is available to all of their citizens, much to the chagrin of the major ISPs.
  4. Why not roll our own crypto? Here’s the thing: the first iterations of anything, including crypto, were people rolling their own. And like everything else, we learn from mistakes and make improvements — a continuous process. It’s one thing to ignore the work of folks who’ve gone before, but it’s an entirely different thing to shunt people to ground and declare that they shouldn’t try and innovate.

It goes on. We can handle our own email and data. We can create our own telephone and chat services. We can make our information available to each other in any number of forms. We can do it all privately, and we can actually do that without touching the internet itself — the same equipment that lets us connect to Comcast and Verizon let us connect to each other without them. Is it worth it? Well, that depends on us our risk tolerance and our operational needs.

With the explosion in commercial networked technology over the last 30 or so years, you’d think we’d all be able to stand up a website or similar before graduating middle school. Instead, as a society we’ve largely become device operators, ignorant of how the pieces fit together. There, there — leave it to the professionals… We’ve created a new form of illiteracy, and it’s left us ungrounded — unable to distinguish when we’re being hoodwinked or bamboozled by businesses, governments, or anyone else.

Before you know it, we have celebrity shit-posting SMEs on Twitter making technical recommendations to major corporations putting us all at risk.

So, if you find yourself around the water cooler with the kibitzers slamming that commercial VPN for their breach, why not pull the other thread instead and ask them how they mitigate the risks of putting their own corporate services in the cloud where they could be compromised by the host? It could be an interesting chat.

Find your trusted advisers and ask questions. Never stop asking questions.