|Unencrypted Data May Go the Way of $2 Gas|
|Security - General|
|Written by Chris Smith|
|Thursday, 29 May 2008 19:00|
The increasingly heavy reliance on a highway as dangerous as the Internet can mean only one thing: The practice of encrypting everything is likely just over the horizon.
The Internet just in the past year has become a dangerous place indeed. This is ironic since during that same year, more people than ever are using the Internet for a growing list of purposes from personal dating to bill paying. Apart from hard statistics that document the increase in malware and phishing schemes, it seems every time I run a virus check lately, I find something has latched onto my system. With identify theft and data loss/leakage on the rise and compliance regulations directing us to follow ever-better security practices, the days of allowing data to remain unencrypted may soon be coming to a close.
To get an idea of how lax our standard security practices are, all we have to do is go to Microsoft Password Checker and plug in a password or two to see how pathetically weak they are. I plugged my online banking password into the tool the other day, and it came back as only moderately secure. I tacked on a couple of dollar signs to the end of it, and it bumped it up to "strong," but it still wasn't "very strong." Did I have a nice long password with lowercase and uppercase letters, numbers, and characters? Well...not exactly. My passwords wouldn't last five minutes under a brute-force attack from a tool like Ophcrack (a fast password cracker that uses pre-populated rainbow tables to accelerate the process).
Let's face it, we all know we're living dangerously, but we don't want to bother to do what it takes to tighten things up. Why not? We're in a hurry, and it's far too inconvenient. Besides, who can remember those esoteric passwords? (I finally see a good reason to get a tattoo.) I truly believe that some IT people don't push for tighter security because they don't want to deal with users who forget or lose their passwords. Heaven forbid one should encrypt her C: drive and forget the pass phrase. Not having a backdoor could be career-limiting when that drive belongs to the CEO.
It seems inevitable to me, and probably to most readers, that the days of fooling around with security and assuming that, because we're part of a larger herd, we won't be targeted are very close to being over. We're dreaming if we think we don't have anything to steal. Today's air of casualness is like the $2 gallon of gas. It was only yesterday that it was here, and it was so easy and affordable. Today, however, is a new reality.
I know the practice of broad-based encryption is coming because the other day I got an encrypted press release. At first I didn't realize what it was. After I figured it out, I wondered, why would someone encrypt a press release? The whole idea is to make it easy for people to read the information and to broaden an audience by sending it to as many people as possible. It turned out that it was a mistake, and the sender hadn't meant to encrypt it after all. It happens that the company is starting to encrypt everything, and the person just forgot that it is counter-productive to encrypt a press release.
So there are a few things then that shouldn't be encrypted, and a press release definitely falls into that category...I guess. The thing about encryption, though, is that if you encrypt only your important documents, then an intruder knows exactly where to start looking when trying to crack your encryption. So you're far better off encrypting everything and leaving the sensitive information obscured in the blizzard.
Multiple operating systems and the whole interoperability landscape make encrypting drives, folders, files, networks, email, and instant messaging a daunting task. Requiring people to encrypt all their data and communications when the tools to do so are often awkward to use and difficult to master does not make for a popular IT department. Sometimes, however, you just have to do your job whether you win the Miss Popularity contest this month or not. Letting your CEO leave town with an unencrypted laptop while knowing he will be placing it onto the airport X-ray conveyor belt where it will be out of sight in a large crowd for several very long minutes is nothing less than a disaster waiting to happen. It also represents a point of failure for the entire team.
I think one way to start getting people used to the idea of encrypting data is to do it gradually (others, I'm sure, will say it's better to jump right in with an entire encrypted communication infrastructure such as what PGP Corporation offers). I'm certain that most people don't understand what encryption is and why they should bother with it. This attitude probably includes senior management. Having encryption available is one thing; using it is another. To get people started down the straight and narrow road, they have to first understand a fundamental principle of cryptography: the idea of "keys," same-key and public/private keys. Once they get that, it will all be downhill from there (so to speak).
One way to get users interested is to send them to Hushmail and have them open a free account. For no cost, they can practice sending each other encrypted emails and get used to entering pass phrases to open them. It's easy enough to be fun but challenging enough to get your attention (I actually locked myself out--as in permanently--of a test email that I sent myself after trying too many times to input an incorrect pass phrase).
Another free tool, which is quite fun yet very powerful, is TrueCrypt. It runs on Windows and Linux and creates a virtual hard drive while reading and writing encrypted files on the fly. Pretty fancy. Use it to encrypt your CEO's laptop or that USB drive you know he's going to lose the minute he gets off the plane in Miami.
|Last Updated on Thursday, 29 May 2008 07:14|