Feeds

back to article Pervasive encryption: Just say yes

In my day job as a sysadmin for a small business, and in my moonlighting as a freelance tech consultant, I get to do a lot of thinking about security. Ignorance of information security among small businesses is hardly news but in my experience many small businesses are only now getting the hang of securing their local PCs - just …

COMMENTS

This topic is closed for new posts.
Silver badge
Badgers

Cores?

Routers and ARM SoCs often have dedicated HW for cryptography. About 1/100th of cost and power consumption of using a "core".

Most people best to ignore Cloud blandishments.

1
0

You mean good encryption surely?

The article starts off with the attacker breaking the encryption that protects everything WEP + man in the middle to defeat the SSL. Does a HTTPS type connection really add 25% workload? Where's the evidence for that?

2
0
Boffin

Encryption Overhead + Stuff

Last I checked, full-disk encryption overhead for my work laptops is only about a 3% CPU bump, with a slight dip (about 4%) in disk throughput. Of course, that's using TrueCrypt. It could likely be worse with whatever garbage Trevor is pimping.

WEP is a VERY common wireless setup, even now. Most businesses haven't swapped out their wireless router since they bought it 5 years or more ago. Therefore, anyone comment of "they haven't sold a WEP router since 2006" is bullocks, as my wireless N router still supports WEP, and the fact that the business in the "example" likely /did/ buy their router circa 2006.

Next on the list: lax security. Many commenters seem to think this grossly lax security is a stretch. It is not. The idea of having the spreadsheet online is more of a stretch than a sticky with the password, and the same password being used for banking, email, etc. They'd be lucky to have the wireless SSID changed from "actiontec" to something else. Expecting them to even be able to train on "security" or the like is out of the question.

What are we to do then? Perhaps the computer shop down the street (or evening-freelancers like Trevor (author) or I) should offer consulting services and advertise to target these particular cases. However, Trevor won't win any business by walking in and slapping down his "pervasive encryption" mantra as if these businesses had the budget of a datacenter. A simple 1hr consultation visit and advising them to apply patches, vary passwords, and employ a wireless router using WPA2 should be more than adequate. Even the stickies aren't really a no-no, since it would require physical access to the machine/area, at which point, just steal the laptop (TrueCrypt full-disk encryption again?) and the register cash. You can offer such consultation as the "minimum" they should do to start protecting themselves, and no, not as the "ideal" fix.

0
2
Gold badge

@James Cooke

HTTPS doesn't add 25% at the user end, but rather to the cloud provider's end. Google, Oracle, Twitter and others have made mention of this overhead. Specifically, it is used as a reason not to enable HTTPS by default on their services. (Or in some cases, even offer HTTPS at all.) That said, any decent cloud provider would in my mind be designing upcoming systems with this in mind; installing cryptoprocessors and ensuring that they have the ability to offer encryption to their customers as a standard, without a great deal of additional burden on their datacenters.

0
0
Gold badge

@Ammaross Danan

Quite a bit of vitriol. Let us examine some of it. FIrst off, full disk encryption (even using trucrypt) can be a much higher CPU hit than 3-4%. Many factors matter here. How fast is your CPU? DO you have a TPM on that system? Drivers and such loaded so that your applications can take advantage of it?

As stated in the article: encryption overheads don't have to be anywhere near the traditional 25% hit. It is however a number frequently brought out by people who believe that encryption is a waste of resources. In the case of this Mac Powerbook G3, full-disk encryption cheerily would be 25% of the CPU. Quite probably more.

Next, I am lacking an understanding of how pervasive encryption became a "mantra." It is true, I believe it should be used in more places than it is...but it is but one tool amongst many. There are plenty of elements of encryption that these businesses can undertake without any real budgetary impact.

The burden of encryption should not belong to end users alone. Cloud services – from gmail and twitter all the way to EC2 and Azure – should not only be offering SSL as a possibility, but redirecting every HTTP request to HTTPS. You should have to choose to use an unencrypted communications protocol – after a warning pops up to tell you the risks – rather than the other way around. The burden here in my opinion is largely on the cloud providers themselves; one they shoulder only very reluctantly, it seems.

Another point of interest: you rightly point out that sticky notes are not a bad thing in and of themselves, physical access is required, and the attacker would have to see them to use them. Simply putting the commonly used passwords on a sheet of paper, placing it inside a folder (that everyone at the workplace knows about) and putting it inside the filing cabinet beside the computer desk is a marked improvement in physical security for very little additional work.

As to the consulting job itself, here is how it played out: Updating the PowerBook’s software – most importantly the WiFi drivers – to be able to use WPA2 was my very first step. Next was simply junking the router and getting something that could support WPA2. After this, I introduced them to Firefox, and lovely plugins like https://www.eff.org/https-everywhere/

I set them up with dropbox and a scheduled task that zipped up their critical 20MB of information every night into an encrypted ball and moved it into the dropbox folder. A second scheduled task prunes backups older than 3 months. All their sites are set up on this now; it has already saved their butts when one of the old powerbooks dropped its disk.

These are cheap solutions, all involving just a little a bit of encryption that – while not the perfect or ideal solution – add a layer of security overtop the impenetrable user apathy that exists at this business. Most importantly, it cost them only one cheap replacement wifi device per site. I didn’t even charge for the three hours of my time.

It should be pointed out that even at that, they were exceptionally reluctant to spend money on IT. This is a company where store managers much update all the accounting spreadsheets, put the numbers into the accounting program, then print out the statements and fax them in to the accountant. Why? The accountant refuses to own a computer and keeps all records by hand on a 30-column ledger.

We can’t ignore that these businesses exist. You state you are a freelancer and speak of advertising and winning business. Well it is for yourself and other freelancers that I feel writing such articles are important. I hope that it is a bit of cold reality to remind all freelancers and consultants “these people are out there.”

Myself, I am not. I end up taking these jobs not because I am a consultant, or because I need/want their money. I do it because I feel a weird sense of duty; an obligation to help the technologically impaired. I have the ability to lend a hand…why wouldn’t I?

So sir, pervasive encryption is not a mantra, nor is it overly burdensome or expensive…except to cloud providers who are not taking full advantage of cryptoprocessors in their infrastructure. It can however – like the airbag mentioned elsewhere in this thread – be an important safety measure when others have failed.

0
0
K
Bronze badge
WTF?

The password for the cloud service is scraped from the HTTP session

I'm not a great fan of these cloud computing fads - but I think you'll find even the most simplest of clouds operators use HTTPS. So how could this have been scraped?

0
0
Gold badge

You are correct.

Virtually all cloud operators offer HTTPS. Few offer it as default. Fewer still enforce it as the only option.

1
0
Thumb Down

Doesn't solve the problem

Encryption doesn't stop man-in-the-middle attacks. It also doesn't stop sloppy humans using poor passwords.

0
0
Flame

It does and it does not

It solves the problem if there is _TWO_ way crytpographic authentication - x509 cert in the client (even a very trivial software one) and a x509 in the server.

In that case does the user click on the "OK" is irrelevant, the server can and will drop the session because it does not come from a known x509 cert. Even in the "stolen cert" case, a mismatch between the username and the cert can catch most attacks.

If you do not have x509 a cert and the server does not authenticate the client cryptographically than a MIM can be used to attack most cases of https (or SSL/TLS in general).

1
0
Anonymous Coward

Not really obvious

... how the use of encryption would help in the example given. For data to be used it must be accessible. If it's accessible then it can be compromised, regardless of whether it's being encrypted/decrypted on the fly.

Each of the aspects of the example uses stolen userland credentials in the same way that a user would, meaning encryption would not be useful in this instance. Trevor, could you please expand on this?

0
0
Gold badge

@Anonymous Coward

Well, let's look at this a little:

First: WEP. WEP is terrible. WEP and WPA both are easily cracked, WPA2 personal being within the "possible but unlikely" range. Had the company in question been secured with WPA2, this game would have been over before it began.

Second: Signed binaries on the router. Had the router's operating system design taken into account the idea that eventually people would find a vulnerability and root the system, they would have implemented a process of signing their binaries. Any change to the binaries (so as to add software for a man-in-the-middle-attack, for example, ) would be rejected as compromised code. It might result in the router bricking itself, but that's better than allowing an attacker to gain a foothold.

Third: HTTPS. While it’s true that with some SSL scenarios, you can pick up the encryption keys (or information passed to the server from the client) if you get there as the session is set up…you certainly can’t decrypt an SSL stream with the processing power available to you on a broadband router. (I have my doubts you could do it in real-time even with a van full of equipment; the wireless bandwidth would be the limitation to attacking SSL with rainbow tables.)

If you can’t pick apart the steam, you can’t inject code. If you can’t inject code, you can’t compromise the browser, root the Mac and install a bunch of lovely world-ending crap. (It was this crap that got browser-injected that eventually scraped the banking passwords.)

There are other cases where encryption saves the day for other breach scenarios, but any of these would have saved the day here. Simple things that – in my mind – the end user should never be responsible for. Setting up strong wireless encryption should be simpler than Bluetooth pairing. For *some* modern routers, it is. Routers should be designed with security in mind; they are lovely targets; manufacturers should be locking them down tight and signing binaries. Lastly…everything everywhere should be SSL forever. We need to stop assuming that the communications channel between our customers and our cloud services are secure. They aren’t. There are so many ways to intercept that stream that we need to consider it a /public/ communications stream and encrypt all interactions.

That’s where that 25% comes in. Cloud providers are afraid of the overhead on their side of the equation if they not only enable SSL, but make it the default. It is where – quite frankly – cloud providers are failing their customers.

0
0
Silver badge

Problem?

"have just been compromised in a matter of minutes...With this sort of scenario in mind I want to make the case for pervasive encryption."

Except in your scenario the utter lack of proper security means the password for encryption is going to be the same as all others, so the hacker just uses that to decrypt the files. And progress is?

So you do need proper security, but the key problem in your scenario is the lack of training/care by everyone. Unless the *system* was set up with this in mind, encrypting your local files is not enough.

3
0
Terminator

= Error in user module

Replace user and try again...

0
0
Silver badge

Eh?

1. The shop's PC/Macbook would not be using WiFi.

2. No WiFi client has used WEP since like 2006.

3. No banking or payment site ever used http. Https has been the norm for many years

The author is imagining a world entirely security free, and telling us it should be universally secured. Personally I like to use telnet because ssh slows my server to a crawl.

0
4
Silver badge
IT Angle

He!

1. You haven't been to the back office of many small shops, have you? A lot of them, and some medium/large ones use WiFi. A Lot.

2. Saying no WiFi Client has used WEP since 2006 is like saying no Windows has used IE6 since IE8 came out. Just because an alternative is available doesn't mean that it's used. In fact, much of the general populace is pretty annoyed at us IT folks coming out with updates every few months and some have gone as far as refusing to apply them. They feel we should get it right to start with. We haven't taken the hassle of updating away, and we haven't made the security benefits clear enough.

3. I know lots of financial sites that don't use HTTP until AFTER the login screen (i.e, the initial login screen is sent over HTTP, containing an HTML form set to post via HTTPS.) The problem with that is, if the login form is transmitted over HTTP, it's susceptible to being intercepted and having keylogging or redirection code injected into it.

+4. If SSH slows your server to a crawl, you need either:

a. server hardware made after 2001, or

b. SSH software written by a competent developer.

4
0
Silver badge
Stop

Why not?

"1. The shop's PC/Macbook would not be using WiFi."

Why not? Care to expand on that? Most users of laptops use WiFi not tethered access.

"2. No WiFi client has used WEP since like 2006."

Again, not true. A quick trawl around the neighbourhood shows that WEP is still in use.

If you want you kid to occasionally use their Nintendo DS through the router, it has to use WEP since that's all it will support.

I think you underestimate the sloppiness of most people bearing in mind the recent survey (see elsewhere on El Reg) regarding encryption on WiFi and a proportion of some people's blind indifference to or lack of knowledge of Wifi Encryption

2
0
Bronze badge
Boffin

A more salient point might be

That there is no such thing as a ten-year-old MacBook, as they only came out in 2006!

0
1
Gold badge

@Havin_it

Sincere apologies. It was indeed a POWERbook, not a MACbook. Same insanity, different chip architecture. :D Macbook G3, if you must know.

0
0
Silver badge

@Steven Knox

1. I havn't been in many back shops. But I have been in small business offices, and office PCs tend to be fixed. "back room" implies a PC that does not move around, so why would it be on WiFi ?

2. I was wrong. Of the 9 wireless points right now. My software initially makes it look like they are all WPA-PSK secured, but deeper investigation shows at least 2 are indeed "WEP 40/128 bit". I thought WEP fell out of use years ago.

3. Give an example ?

4. Yes that was the joke - meant to be spoofing the article's assertion about security and its system load penalty.

0
0
Silver badge

When Verizon sold my mostly computer illiterate mother

a wireless DSL the default encryption of WEP. At that point, the compromise Trevor referenced had been known for 2 years and WPA2 was available. If I hadn't been there to change it to WPA2 she could easily have been hacked.

0
0

No WiFi client has used WEP since like 2006

Oh yeah? On which planet?

14 wireless access points visible from the machine on which I'm writing this:

Two unsecured (BT openzone/BTfon),

Six WPA2-PSK (nice to see that I'm not the only person here with up to date kit -- which was the case a couple of years ago when I moved in).

Two WPA-PSK.

Four WEP. Of these, one is labelled BTBusinessHub -- you can take your pick as to which of the businesses at the top of the street that one is -- my money is on the extremely expensive dress shop whose owner/designer tends to sit front of house with her macbook doodling designs when business is slow.

1
0
Anonymous Coward

WEP

Not using WEP would solve this problem before it occurred. Non-issue.

0
4
Anonymous Coward

Good idea, except it won't fly.

The costs are considerable but can be swallowed. Buuut.

There's key management. Encryption policies. Compromise fallbacks. Scenarios to play out and train for. And so on, and so forth. Because none of all this tech fixes the basic problem: A popup warning interrupting the flow of getting things done before jetting off, clicking the wrong button and it's all over.

So it's three, seven, thirty buttons that all say "are you (really){0,inf} sure?" Recall vista's sevenfold ack requirements. People howled. And for good reason. It doesn't help. A popup is a popup is a popup is something that will invariably be ignored then bite you in the arse.

Yes, we'll need to learn to be more careful with our data now that we can broadcast it everywhere in an eyeblink. Yes, encryption will be part of that. But it's only one tool among many. And since cryptogeeks can't even make themselves be understood by normal geeks, it's not surprising their vehicles have just about zero uptake amonst the general populace. How many here have a GPG key and know how to use it? But even if that store clerk could, it's moot.

Encryption doesn't help against popups.

1
0
Silver badge

Change the Game

Make uploading the data the first thing done in the morning instead of the last thing done at night.

That way the minimum wage till slave you have employed at least feels they are doing this on your time and not theirs.

0
0
Silver badge
Headmaster

Nice Idea

But these retail chains want stuff uploaded in the evening so they can process it overnight.

1
0

No magic bullets

System based approaches are all very well but if you are going to make a large investment in security then operations as lax as you describe in your example would benefit far more by raising security awareness and standards of practice amongst staff and management.

Simply pushing encryption as standard to such an operation merely gives the ill-informed users yet more of a sense of false security.

I'm not saying encryption doesn't have its place but ill-trained users will compromise a system every time. Reading some tech pages it would be easy to get the impression that running a fully patched OS with up to date spy/av ware and a firewall with full encryption of everything allows the user to stop thinking.

Encryption has its place but as with all other programmatic measures it must be within a robust user practice or it's worthless. Even a programmatic approach that simply blocks the user doing something dangerous cos they are not doing it the right way carries that most pernicious of dangers - the undocumented workaround.

1
0
Gold badge

@Colin Millar

Well said.

0
0

title

I see this a little differently... don't get me wrong, I'm all in favor of encrypting everything - but the majority of the problems here are user problems - and a single user, at that. Your till-jockey shouldn't have been accessing any of that information; regardless of encryption, someone could have jimmied the lock and swiped the laptop and password (which was probably taped to the laptop anyway).

Bad business practices cannot be fixed with better hardware or well-written software. No matter how awesome the airbag in my car is, if I tape a clipboard on my steering wheel, I'm going to get killed when the airbag goes off. In the same way, as awesome as cloud storage may be, having your till-jockey directly access it is a bad idea. How to fix it, I don't know; it probably involves buying a better till that can do the reporting itself... or at least get the till-jockey off the computer. The till-jockey can still write his hours down, but it should all go onto a nice, wifi-free piece of paper that goes into a safe drop box, for the manager to enter over the weekend.

1
0
Gold badge

@armanx

The difference here is that you don't have to install and configure the airbag yourself. Cars are designed with the idea in mind that the end user down't know how to maintain them. We also have decades of a culture wherein "if you don't understand how to fix your car on your own, bring it to the mechanic on a regular basis."

That culture has yet to spread to computers, as does the idea that they should be simple to use. Worse yet, computers don't come out-of-the-box configured for safety. Nor to several cloud services. That the option for better security exists helps not at all if the end user knows nothing about it.

IT folk love to blame the user. They love to blame the business owner. They like to blame everyone and anyone excepting themselves. Security should be built-in, on by default and easy to understand from the word “go.” In some cases, great strides have been made. In others, even the most basic precautions aren’t followed.

There is still much work to be done; I believe that applies to all sides of the IT problem. Developers, device manufacturers, service providers, sysadmins and yes...even the end user. I don’t believe any link along that chain can reasonably be expected to bear the entire burden alone.

2
0

Agreed

I think the main hurdle is replacing the computer entirely - like I said, a till that reports by itself, instead of requiring a go-between. Hardware is often overlooked; as a hardware guy myself, I would have to lay the blame on, well, hardware. The best devices out there hide functionality from the user completely. When you set up a rounter, it should have a default password that, until changed, keeps the Internet turned off. It should be hard to turn *off* security, not hard to turn it *on*. Hardware should support that, but too often, cheap components are tossed into a device, and the rest is left to the software guys (who then toss in some cheap code, and leave the rest to the users).

Cars get taken to the mechanic because people don't have the tools to fix it themselves; anything that needs security should operate the same way. In your example, a self-reporting till would eliminate the till-jocky's interference, and would further make it a "custom install", which would (usually) force the installation to be performed by a certified installer.

It really comes down to money. A basic till, a laptop, and a WEP router is cheap; a "smart till" is not - at least in the short term. Until the hardware and software guys can work together and turn out smart, secure devices for cheap, we're stuck with what we've got - lack of encryption included.

0
0
Bronze badge
Thumb Down

yeahbuhWHAT?

"After finding the enrichment-inducing 69p that someone dropped on the floor, the bored till-jockey stuffs it into his pocket and continues watching pr0n."

There, fixed that for ya.

If you have (a) wifi turned on at all on a machine that lives "in the back room", (b) a fucking LAPTOP in this role to begin with, and (c) employees you characterise as so untrustworthy yet still allow them unfettered and unmonitored read, let alone write, access to any sensitive data whatsoever, then you may as well pack it in now.

By now even the most piddling of small businesses (the kind I'm sure you are stereotyping here, for whom IT is a burden and nobody cares as long as it "just works" or they can call someone when it doesn't) have had PCI DSS rammed up their arses to such extent that pleading ignorance of the concepts of data security just will not wash any more.

0
0
Gold badge

@Havin_it

Sir, I respectfully request you consider the geocentricity of your statements. PCI DSS is not law in Canada. Even if it were, no one would enforce it here. As a small business administrator here in Canada, I have seen this and far, far worse. What I relate is not a tale made up out of thin air. It is a tale based upon what I have seen with my own two eyes.

Seen, because when they found out something was splork (tens of thousands of dollars later,) they called a friend who called a friend who called a friend who referred them to me. You make some large assumptions about people, businesses and the technical capability of both. The majority of people aren’t IT nerds. They really, honestly do only care that it “just work.” They don’t want to – and will stubbornly refuse to – learn more than the bare minimum required to get the task done.

In this case, for all the “just do X, problem solved” comments one could lob…it doesn’t change the fact that A) a great many people don’t know that and B) a largish % of those same people wouldn’t do anything about it (until it bit them in the ass) even if they did.

2
0
FAIL

Incorrect article title

Should read;

Pervasive Encryption; Just say..."apky řicetiliónů neléd"

... and let the reader attempt to decrypt.

2
0

This post has been deleted by its author

I like the article...

Read as a metaphor the article makes perfect sense - "sysadmins be overly paranoid as the staff are out to screw you over with their inadequacy as much as skiddies are with their downloaded toolz!"

Best comment so far? "Bad business practices cannot be fixed with better hardware or well-written software. No matter how awesome the airbag in my car is, if I tape a clipboard on my steering wheel, I'm going to get killed when the airbag goes off."

Nice one ArmanX - there's real world and metaphor in perfect juxtaposition!

0
0
Gold badge

Thank you.

I don't know why some people read an article like this and come away with "encryption is the only answer; the only solution you need!" I think it’s a tool, an important and useful one that we shouldn’t be working without. I believe it should be on by default. It’s use could prevent some easily-avoidable wetware errors such as the one detailed in the article.

It is by no means foolproof. Tape a clipboard to that airbag and you might well get a chance to watch Darwin in action. Still, if the user doesn’t have to install and configure the airbag on their car, there is a reasonable chance that – barring some world-ending clipboard-esque stupidity – that airbag will be there and functional when it is needed.

An Airbag doesn’t guarantee your survival in case of an accident. If you screw with the design of the airbag through apathy of idiocy you can render it useless. I see encryption the same way; a form of digital airbag. It isn’t guaranteed to save you, but it might just help when the brakes (wetware education, training and corporate procedures) fail.

0
0
Silver badge
Paris Hilton

How does pervasive encryption

overcome the problem of "rampant password reuse"?

1
0

PEBKAC

As has been pointed out, the problem here is the perennial one of people clicking past popups. Training people to not do this remains one of, if not the, biggest security problems there is.

How's this for a possible solution? Treat it like any other emergency, and have semi-regular unannounced drills, as you would with a fire drill. Add a little something to the OS where every week or so a typical click-thru popup pops up, and if the user clicks through and ignores it, put up messages along the lines of "YOU HAVE FAILED THE TEST! IF THIS WAS REAL YOU WOULD HAVE BEEN ROOTED YOU LUSER!" (or words to that effect), and log it for the manager. Fail it 3 times and its gross negligence and you can be fired.

The timing of a week or so is an attempt to find a middle ground between "so many it infuriates users" and "so rare its useless", and may well need tweaking.

Possible extras:

Have this default to on in the OS, but have it turnable off, with difficulty, on a user by user basis - if home users can work out how to do it, they probably don't need it - but log that for the manager as well, so they can forbid it in a work environment.

Randomise the look and feel of the popup, with regular updates through Windows Update so people can't tell just by looking at it that its a popup drill.

I'm sure this will never actually happen, but can anyone see any obvious flaws (other than Microsoft will never do it)?

0
0
Unhappy

Encryption is not the solution to poor IT & security management practices

As others have mentioned.

Encryption was in place albeit badly WEP - compromised. Problem = Business failing to update old hardware or update configuration.

HTTPS was man in the middled, so encryption was in place. Problem = User awareness fail.

Poor password policy, poor patch management, poor config management, poor end user awareness. Encryption won't solve any of these and I wish people would stop looking at crypto as a sliver bullet for all security woes.

The "little bit of crypto" was the problem here in the first place. Not understanding the threats was the second, then doing nothing about either was the worst.

SME's particularly need to get the very basics right first. The last thing we need is lots of small organisations blindly encrypting everything and then thinking that security is done.

0
0
Coat

I talked to an agency somewhere in EU

who mentioned that wholesale hoovering of any and all wifi traffic is going-on. WEP WAP radius all. not just by the google camera car for 5 mins but by people with big hard-disks for months and months. The idea behind this is to give their big gpgpu arrays something to process, maybe there's something useful for them? they view encryption just as a delay and are happy to apply any new vuln/hole on vast buckets of 'old' data. Maybe the WiFi perimeter intruder h/w is the solution, but your rf packets will still be sniffed. Hopefully those enterprises with valuable data don't have wifi/bt on anywhere and have a real-time-spec-analyser looking for data bursts!

I think this qualifies for a tinfoil hat!! now which pocket did I leave it in?

1
0
Thumb Up

Good article... read this too

...66 pages but I read it yesterday and is very very good... slaps Google. MS, Facebook et al in the chops about gov backdoors and weak security by design (due to incentives being wrongly aligned):

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1421553

1
0
This topic is closed for new posts.