Trusting Cryptography

The information security profession, and cryptography in particular, has passed into a new era where credible evidence has surfaced that reveal that several world governments have played a role in the deliberate weakening of cryptosystems, to facilitate domestic and international espionage. Prior to these revelations, information security professionals could place their trust in national standards bodies, major encryption product vendors, and government organizations. This trust has been broken and will not be easily mended.

A significant challenge in both public and private sectors will be the establishment of new ways to measure the validity and integrity of cryptosystems.  Or, perhaps a new approach will be new and novel uses of cryptography in order to make the compromise of a cryptosystem more difficult than before. The collective discussion on this topic will run its course over several years, resulting in the development of new validation platforms as well as improved application of cryptosystems.

– excerpt from the cryptography chapter of a college textbook still in development

LinkedIn’s “Intro” So Toxic It Could Dramatically Change BYOD

LinkedIn’s new “Intro” iOS app directs all e-mail sent or received on an iOS device through LinkedIn’s servers.

Yes, you’ve got that right.

Even so-called “secure” e-mail.

Even corporate e-mail.

Has LinkedIn been acquired by the NSA?  Sorry, bad joke, poor taste – but I couldn’t resist. It crossed my mind.

BYOD implications

So what’s this to do with BYOD?

Many organizations are still sitting on the sidelines with regards to BYOD. They are passively permitting their employees to use iOS devices (and Androids, Windows phones too) to send and receive corporate e-mail, mostly on unmanaged, personally owned devices. This means that organizations that presently permit their employees to send and receive e-mail using personally owned iOS devices are at risk of all of that e-mail to be read (and retained) by LinkedIn, by every employee that downloads and installs the LinkedIn “Intro” app.

LinkedIn talks about this as “doing the impossible.”  I’d prefer to call it “doing the unthinkable.”

Organizations without MDM (mobile device management) are powerless in preventing this, for the most part.

Every cloud has a silver lining.

This move by LinkedIn may finally get a lot of organizations off the fence in terms of BYOD, but employees might not be happy.  Organizations’ legal departments are going to be having aneurisms right and left when they learn about this, and they may insist that corporate IT establish immediate control over personally owned mobile devices to block the LinkedIn Intro app.

Corporate legal departments usually get their way on important legal matters. This is one of those situations. When Legal realizes that LinkedIn Intro could destroy attorney-client privilege, Legal may march straight to the CIO and demand immediate cessation. That is, once you peel the Legal team off the ceiling.

Nothing like a crisis and reckless abandon by a formerly trusted service provider to get people moving.

This article does a good job of explaining the evils of LinkedIn Intro.

My respect for LinkedIn could not be at a lower point if they publicly admitted that they were sending your content to the government.

Prism, XKeyscore, and International Business

Disclaimer: I do not, nor ever had, any level of secret clearance for any government. I have no connections to Snowden, the NSA, or any person or organization linked to them.

From 2006 through 2012, I was the information security officer for a global financial services company, selling subscription based services to the largest companies in the world in every industry sector.  Understandably, many of the larger corporate customers expressed a lot of concern over the confidentiality of their financial data when stored in our systems. Despite having numerous external audits and penetration tests (with reports available to these customers), many of the larger customers won additional concessions in the form of additional security controls, in exchange for their business.

The U.S. PATRIOT Act was a tremendous stumbling block for many potential non-U.S. customers. They were concerned about the ability for law enforcement to serve secret subpoenas and obtain business records without their knowledge or consent.  Our only argument was that we were not the source for original data, and that federal law enforcement would more likely go after original records, such as banking and telecommunications. Still, many non-U.S. companies elected not to do business with our U.S. based company because of PATRIOT.

Revelations of Prism and XKeyscore represent U.S. law enforcement and spy agencies taking a gigantic leap beyond PATRIOT. With PATRIOT (as I understand it — my former employer was never, to my knowledge, served with a National Security Letter), a judge was required to sign or approve the national security letter on behalf of the federal law enforcement agency that wished to obtain information.  But with Prism and XKeyscore, U.S. federal law enforcement and other agencies have unilaterally obtained – and apparently continuously obtain – many forms of electronic records, without the consent of anyone.

Prism and XKeyscore, in my belief, will prove to be extremely harmful to U.S. based electronic services providers at every level: Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), and virtually all other forms of electronic services that store, transmit, or process electronic information.  With PATRIOT, the mere prospect of law enforcement obtaining information in special, limited circumstances was enough to scare away many potential customers. With XKeyScore and Prism, law enforcement continuously obtains much of this same information.  Thus, the probability of law enforcement (and other agencies) obtaining sensitive information increases from longshot to near absolute certainty.

This has got to be bad for U.S. based businesses in nearly every sector that provides services to customers worldwide.

————-

Aug 5 update: headline article in Puget Sound Business Journal echos my sentiments. http://www.bizjournals.com/seattle/news/news-wire/2013/08/05/nsa-revelations-could-cost-us-lead.html

NSA procedures for removing metadata from Word and PDF documents

Excellent and comprehensive document describes how to remove potentially embarrassing metadata from Word and PDF documents.

Redaction FAQs:

Q: What is redaction?

A: Redaction, also known as sanitizing, is a form of editing where sensitive information is removed from a document.

Q: How is redaction performed?

A: Redaction takes a finished document and blocks sensitive content in-place. The “flow” of the document is not changed; rather, sensitive information can be covered in black ink, or covered with white paper.

Q: Can documents be redacted electronically?

A: Yes, if it’s done correctly. Done wrong, the data that is “covered” is still there and can be discovered by people who know how to look. Read the following article from the NSA on redacting documents safely.

Redacting with Confidence: How to Safely Publish Sanitized Reports Converted from Word to PDF

Q: Can PDF documents be redacted?

A: Yes, as long as they are not locked (which can prevent editing). Adobe Acrobat Professional 8.0 has a built-in redaction tool that makes redaction easy to use and highly effective. Acrobat has a redaction toolbar that permits the user to select text and graphics to be redacted. Selected candidates are highlighted in red until redaction is applied.

Q: Are there any disadvantages to redaction?

A: If redaction is done improperly, it may be possible to discern what has been redacted. When individual words are redacted, the length of the redacted word is clearly visible. Sometimes it is smart to redact surrounding words in order to obscure the words that are actually sensitive.