{"id":694,"date":"2012-05-24T11:53:22","date_gmt":"2012-05-24T10:53:22","guid":{"rendered":"http:\/\/www.phillips321.co.uk\/?p=694"},"modified":"2012-05-24T11:53:23","modified_gmt":"2012-05-24T10:53:23","slug":"mini-rant-security-that-makes-no-sense","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2012\/05\/24\/mini-rant-security-that-makes-no-sense\/","title":{"rendered":"Mini Rant &#8211; Security that makes no sense&#8230;"},"content":{"rendered":"<div class='posterous_autopost'>\n<p>In my line of work we encourage encrypted communications and securing sensitive data especially when it comes to PII.<\/p>\n<p>However it&#8217;s increasingly common to see systems put into place that are obviously only there to mitigate litigation aspects should anything go wrong.<\/p>\n<p>Take American Express for example:<\/p>\n<p>An email from them asking you to send a copy of your passport\/driving licence\/etc&#8230; to confirm your identity suggests that you may reply via email however:<\/p>\n<blockquote>\n<p><span style=\"line-height: 115%;font-family: Arial,sans-serif;color: #5f5f5f;font-size: 11pt\"><strong><em>Please note that the internet can be insecure. You must use a secure encryption method when sending personal data and\/or documentation to us via email to safeguard your personal data<\/em><\/strong><\/span><\/p>\n<\/blockquote>\n<p>Great&#8230; you encourage your customers to encrypt their personal data.<\/p>\n<p>So I&#8217;ll just send over a truecrypt volume encrypted with twofish-aes-serpent shall I?<\/p>\n<p>Or perhaps a PGP encrypted volume, whats your public key?<\/p>\n<p>What about just an AES256 encrypted zip?<\/p>\n<p>Okay so that&#8217;s point 1.<\/p>\n<ul>\n<li>They&#8217;ve suggested that it is on the customers own head to protect their data. However they have not listed the accepted formats of encryption that they use.<\/li>\n<\/ul>\n<p>So we&#8217;re assuming because they&#8217;ve not provided us with a public key they don&#8217;t want pgp or gpg encryption. They want something simple that doesn&#8217;t require too much infrastructure in place so we&#8217;ll go with the AES256 encrypted zip, which providing they have winzip\/7zip\/*ziprarace client means they can enter in a password and decrypt the contents.<\/p>\n<p>Great, so how do I get the password to you?<\/p>\n<p>AMEX are right, internet communication via email is all in the clear, so if someone was in the middle of my traffic (i&#8217;m on a corporate network, chances are they&#8217;re monitoring it at least so files could be logged or archived in an antivirus mail gateway for example) they could intercept the cleartext data and have my passport details.<\/p>\n<p>So I encrypt it and send it via email, attacker or corporate network now only has an encrypted zip file.<\/p>\n<p>How do AMEX suggest I send a password to them? I call their customer service desk, expecting them to give me a number to SMS it to or a voice service that instead reads me a password when I dial the number and enter my reference code?<\/p>\n<blockquote class=\"posterous_short_quote\">\n<p>Oh you just send it via email. I think you&#8217;re meant to send it all together<\/p>\n<\/blockquote>\n<p>&#8230;I explain my concerns..<\/p>\n<blockquote class=\"posterous_short_quote\">\n<p>Erm, I&#8217;ve never been asked that before I guess I could give you another email address to send it to<\/p>\n<\/blockquote>\n<p>Point 2:<\/p>\n<ul>\n<li>Sending encrypted data along with the password in the same email is as good as sending cleartext data.<\/li>\n<li>Sending encrypted data along with the password via the same mechanism is as good as sending cleartext data.<\/li>\n<\/ul>\n<p>So despite all of AMEX&#8217;s good advice above &#8220;You must use a secure encryption method&#8230;&#8221; actually there is no way to use a secure encryption method to keep your data safe when dealing with them.<\/p>\n<p>Extra Note:Along the same lines,&nbsp;as I mention above&nbsp;I regularly get asked to encrypt reports that are deemed commercially sensitive. So I email out the encrypted zip file, and they request that I SMS them the password.<\/p>\n<p>2 minutes later, their blackberry chirps&#8230; twice.*<\/p>\n<p>*Can you guess what just happened? Yup&#8230; thought so.<\/p>\n<p><P><A href=\"http:\/\/posterous.com\">Posted via email<\/A> from <A href=\"http:\/\/blog.owobble.co.uk\/mini-rant-security-that-makes-no-sense\">ScriptMonkey<\/A> <\/P><\/div>\n","protected":false},"excerpt":{"rendered":"<p>In my line of work we encourage encrypted communications and securing sensitive data especially when it comes to PII. However it&#8217;s increasingly common to see systems put into place that are obviously only there to mitigate litigation aspects should anything go wrong. Take American Express for example: An email from them asking you to send [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/694"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=694"}],"version-history":[{"count":1,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/694\/revisions"}],"predecessor-version":[{"id":695,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/694\/revisions\/695"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=694"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=694"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=694"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}