Data Security: don’t just roll your eyes at leaked UFO emails
WikiLeaks, the Battlestar Galactica approach, and security apathy
In Breakroom, WeBreakTech staffers chat about the last couple of weeks in tech. What’s new? What’s broken? What are we working on? What makes us want to hurl things into traffic? Sarcasm, salty language, and strong opinions abound.
Josh.Folland: This only confirms my suspicions that politicians and celebrities are lizard people.
Trevor.Pott: The WikiLeaks thing has some potential implications for real-world IT.
Putting the politics aside, let’s look at what’s happened here. Somehow, WikiLeaks got hold of a bunch of stuff they shouldn’t have. In some cases, we know the source (such as Chelsea Manning). In others, we don’t (such as the DNC leaks).
But in each case, the information has been leaked not only with the intention of making information known, but with theater: the intention of causing the maximum possible amount of hype around the leaks. I think this adds a dimension to any data security discussion.
We’re beyond simply “your data may go walkabout” and well into “people may use leaked data as part of a coordinated smear campaign that can hurt far more than a simple data dump.” Do we think this new approach by WikiLeaks will change the dynamics of data protection for corporations and/or governments?
Josh.Folland: Is this really anything new, though? People have been digging up dirt and using it against one another forever. The mechanics of how you get said data are all that’s changing.
Trevor.Pott: That’s an interesting question, and I think that goes down two paths: 1) is the danger of a leak only from the people leaking it, and 2) does timing make a leak more sensitive, and maybe there is a call for increased digital security measures corresponding with important events such as elections, merges and acquisitions, etc.?
I think the sheer volume of the data that can be spirited away covertly is transformational. You can’t walk out with a room full of filing cabinets.
Josh.Folland: Good point.
Trevor.Pott: But lo, if you can grab a backup of the Exchange database…
Katherine.Gorham: It’s only transformational once people start caring enough. Do you think that these leaks will do it, or do we need yet more breaches to convince people that this is real?
Trevor.Pott: Hang on, are you saying people are apathetic about digital security, or about the content of the various leaks?
Katherine.Gorham: Well, I don’t care about the UFO leak, personally. But I’m saying people are apathetic about digital security.
Josh.Folland: I don’t think the guys in charge of Clinton’s IT at the very least were ever apathetic about digital security. Hell, the guy who ran the Exchange server got exposed for posting on reddit about how he could make Exchange do some nebulous things involving making things disappear (for Clinton).
Trevor.Pott: Oh, I disagree about that. IT people are massively apathetic about digital security Most of them sneer at it and actively try to convince others it isn’t important!
Josh.Folland: But the people who know they’re at high risk for coming under fire if they get exposed for anything like that surely are less idiotic about it. The guys behind the Clinton campaign didn’t end up in jail, so the IT guy did something right.
Trevor.Pott: Okay, hang on, I think we’re in dangerous waters here. Let me be perfectly clear about something: if your opponent is a state actor (or criminal outfit with comparable means) then there is absolutely nothing that you can do to stop them. If you are targeted by a state, you are done. Period. Let’s not delude ourselves or our readers on this point.
You can defend yourself against drive-bys, against casual probes and mass surveillance. But not against targeted attacks by well-resourced adversaries. Not possible.
Katherine.Gorham: Okay, then by “transformational” do you mean that we are going to have to go back to storing sensitive data on dead trees?
Trevor.Pott: By transformation I mean two things: 1) does the increased theater around high profile leaks mean that we/the public are paying more attention to digital security breaches and 2) will this result in us reexamining how we do things? One such possible consequence could be, yes, abandoning connected digital tools for certain uses.
(I have arguments to make about the validity of completely abandoning digital tools, given the infeasibility of air-gap attacks in the real world. Regardless of the research into the area.)
Katherine.Gorham: So the takeaway is that if you are not likely to be the target of a state or the Mafia, beef up your defenses like crazy and you should still be mostly okay?
Josh.Folland: And if you are…. Use paper?
Katherine.Gorham: I would like to mention that “beef up defenses” needs to include whatever measures are possible to take against one of your own employees being bought or intimidated into using their access.
Trevor.Pott: Well, let’s talk about “if you are.” There are a few things you can and probably should do if you feel you might be the target of a state actor.
The first thing I would advocate is to abandon email. Email can’t be secured. There are post-email technologies that offer end-to-end encryption, with two-factor authentication and other goodies to help secure things. These are basically glorified instant messengers, or Slack-like techs, but they can be made far more secure.
The next is to archive off anything older than is absolutely required to be “active” and searchable by your application. If you need to search deep archives, make it doable by people who are using a network that does not touch the internet at all. It’s all about minimizing the attack surface.
E-mail should be considered a public conversation. If you need to talk to someone in private, you need to start thinking about secure applications to do so.
Josh.Folland: How long until “The Galactica Approach” is a thing?
Trevor.Pott: Well, essentially, that’s what I’m advocating. The only things allowed to work across a networked environment are encrypted 100%. End to end on the communications and at rest on the storage. And you move as much off the network as you possible and practicably can.
Yes, maybe it requires hiring a personal assistant who sits in the office and responds to voice calls to search the archives for you, but that’s the cost of being secure.
Katherine.Gorham: And secure your non-networked stuff against things like random people copying data onto USB drives…
Trevor.Pott: And then, as discussed above, you need to viciously crack down on who has access to what internally, and how easily they can be influenced by external actors.
Ideally, you want the person who has access to your archives to be single, with no friends or family and no empathy for the suffering of others. Horrible as that sounds. You need them to be someone that can’t be gotten to, and can’t be broken.
And if your data isn’t important enough to start thinking like that, then maybe you need to think hard about whether or not you are really important enough to be the target of a state actor.
So let’s take this in a different direction, away from the state actor part for a second. I want to talk about operational security.
Here’s an example of something that is inherently unsearchable: “Wells Fargo employees created phony bank accounts.”
When you’re engaged in fraud on a scale that 5400 employees have fingers in the pie I don’t think it’s rational to expect the cover-up can last forever. Which brings me back to the start of the discussion about theatrics.
The Wells Fargo thing is bad, but not nearly as awful as it was made out to be in the media. Here is a whole lot of people gaming the system and executives turning a blind eye because it benefits them.
Inevitably, it blew up…but when it did, the whole thing went thermal. Does this represent another example of a transformative change in how we are reacting to information leaks in this “always on” and massively interconnected society?
Katherine.Gorham: Or is it related to rising social angst about individuals being screwed by corporations, income inequality, corruption, and that sort of thing? This election year has been all about that, too. The perception that Hillary might be in the pocket of Wall Street is part of what keeps people supporting Trump. This kind of feeds into that narrative.
Josh.Folland: I think it’s more of that, yeah. The election year, the protests at Wall Street, hell even stuff like Mr. Robot – society is pretty well fed up with banks doing squirrely stuff like that. Anything that says “Guys! The banks are bad guys! Get ’em!!!” – people eat it up.
Katherine.Gorham: Yeah, instant clicks. Easy media win.
Josh.Folland: There’s certainly an aspect of theatrics there.
Trevor.Pott: So do we feel that the perception of the importance of information security by the public or those who are theoretically responsible for information security is changing? Is it due to the theatrics of outfits like WikiLeaks? And will these changing perceptions lead to changes in how we do things, (including the tools we use to communicate) in an effort to minimize our attack surface and make us a less tempting target than the next guy?
Josh.Folland: As much as I’d like to believe people are wising up to the importance of security is because of education and gradual enlightenment, I definitely think theatrics and being blatantly aware of the consequences (the media will sh*t on you as hard as humanly possible) is the driving force.
Katherine.Gorham: Perhaps this is cynical, but I honestly think it will take more high-profile hacks and leaks to get the public caring about data security. I’m not saying that all IT staff are apathetic about it, but they aren’t always the ones with the budget or the decision-making power. And I have yet to see evidence of a shift in how the people with that power think and act. I do hope that this will kick start that shift, but I don’t know if it’s enough yet.
Josh.Folland: In the past few months alone I’ve seen tons of end-to-end encryption chat apps and whatnot, so at the very least there’s a growing market there. Developers and businesspeople seem to think there’s money to be made thanks to those changing perceptions. But I agree, I don’t know if it’s enough yet.
Katherine.Gorham: Okay, perhaps I should be marginally more optimistic. I want to believe….
Josh.Folland: It’s a very “first they came for the socialists” type of thing, I think.
Katherine.Gorham: You mean people aren’t going to do anything about it until it hurts them personally.
Josh.Folland: Exactly. For example, on a not-enterprise level: The Fappening really changed people’s perception of sexting.
Trevor.Pott: There might also be some aspect of people unwilling to do their part because they view security as being someone else’s problem. Security is often inconvenient. And I think that the pain will have to be very deep for people to be willing to change personal and/or professional habits. They’d much rather make others suffer/do work/pay for something than have to exert even the smallest amount of effort themselves.
Josh.Folland: Not someone who sexts or has massive databases full of questionable emails? Meh. Not my problem.
Trevor.Pott: No, it’s worse than that. The Fappening was ages ago. Celebs still take nudes on their phones. It’s not rational. When confronted, they say they expect their phone provider/phone manufacturer/etc. to handle security for them. They can’t be unaware of the Fappening, but they refuse to change their ways regardless…then are outraged when it impacts them directly.
Josh.Folland: Sure, but for those who DIDN’T change their behavior there are still at least a handful who did. Blow by blow it’ll progress.
Katherine.Gorham: We’re back to “a lot more people need to get hurt before this will stick.” Unfortunately.
Trevor.Pott: So are we at “secondhand smoking” with data security? Will it take a generation or two worth of education and challenging social norms, combined with hard-fought legislation before we see a substantive change in habits around data security?
Katherine.Gorham: There’s a frightening prospect.
Trevor.Pott: Is this a battle that can’t be won for our generation, or those that came before? Only those who come after?
Josh.Folland: Absolutely. I’m from the generation that practically invented sexting. You had better believe we’re telling our kids “don’t f**king do this, and if you are going to do it, be smart about it.”
Katherine.Gorham: I think “it can only be won for the next generation” is an attitude that has its dangers, too. I mean, maybe it’s true, but that doesn’t mean we get to stop trying in the present.
Josh.Folland: Definitely. It’s not to say “oh, we can’t fix this so I’ll just opt out of dealing with this issue.”
Trevor.Pott: One way or another $current_generations will have to build less exploitable infrastructure for future generations. I think my closing thought on this has to be that it’s realistically likely that digital security breaches are going to have to get a whole lot worse before they get better. We’re going to need the equivalent of a tobacco industry lawsuit and a generation of habit changes before security is second nature. Until then, activism matters.