Are people reading what you write (without asking)? Part 1
Written by: David
When connecting to remote systems, it’s often easy to overlook a very simple fact; many methods of communication are not protected in any way, shape, or form. Even as you read this post, the data is being sent in cleartext and anyone with the desire to watch over your shoulder, can. Data is the foundation of the internet and businesses in general, and not all of it is a big deal if someone else gets it. However, there is a lot of information that should be protected, and there are a lot of ways to protect it.
First, a common example and, hopefully, some answers. Let’s start with probably the #1 offender: Instant Messaging. IMs have exploded on the internet in the last few years as a great, simple way for people to talk (ok, type) to each other. Here is the problem. Odds are very good that your message to your wife with your account information for the bank website was sent in the clear because you aren’t using any encryption. Yes, most IM technology has no concept of secure communication at all, so everything you type is like talking on a party line; anyone that’s listening can hear it, too.
Now, depending on what IM system you are using (AIM, Yahoo!, MSN, etc), there are different ways to deal with this one. Some of them may have an encryption option built in, which is a lot more rare than it should be. Because of this, there are some third-party IM client solutions. One of the more popular IM clients is pidgin. Not only does it allow for multiple messaging protocols (because you can’t get all your friends to use the same one), but it’s available for most Operating Systems, and has more than one encryption option available as a plugin. If you primarily use AIM, then the OTR plugin is probably what you want. Adium (the MacOS native IM client based on the pidgin libraries), has OTR built in. The pidgin-encryption plugin is another option that has been around almost as long as pidgin.
Unfortunately, this is just one of many potential examples/solutions. Do a little research into whether or not your favorite IM client or protocol has any way to encrypt your messages. The real point is just to be aware that what you are sending is probably vulnerable, so don’t send anything that you deem to be important without setting something up first.
July 10th, 2008 at 9:58 am
David,
Excellent point! To add two more examples, I have a friend who provides SEO services to multi-media firms (ie, movie producers, etc). As tight as you may think DRM is for audio, you would think movie producers would have even better protections against film piracy. Not always true. He has to very frequently remind many of these organizations that just because a contract says their media must be protected does not mean that it actually is. He has had to even demonstrate this to them, when he uses basic admin tools to “crack” one of their passwords and gain access to a new media product before its release date.
I have several friends who are enterprise-class global IT security specialists, who speak at Black Hat conferences, etc. They’ve told me that the reason most firms have breaches is a combination of social engineering against non-IT staff, lack security protocols (eg, regular and systematic updates, internal scans, authentication, roles & responsibilities, etc), and a simplistic “it won’t happen to us” mentality.
It is that latter mentality that sets firms up for failure, because it determines priorities and budgets, and attitudes. “If the boss doesn’t care, then why make my life harder?”
I look forward to more examples from you for this series!
Mark Cummuta
President
Triumph CIO Group