A recent espionage prosecution in West Palm Beach, Florida demonstrates that encryption may not be the panacea that organizations think it is. So rather than relying on encryption alone, companies need to adopt and maintain strategies that continue to provide layered security.
After every data breach, we hear the same mantra, “If only the data were encrypted!” As if encryption of data is the answer to data breaches. Now don’t get me wrong, appropriate encryption of data at rest and in transit is critically important.
If a laptop, thumb drive, or data file is stolen encryption can be the difference between having a multi-million dollar reportable data breach, or a mere nuisance. Data breach disclosure laws almost universally exclude from the definition of “Breach” data, which was encrypted at the time of the “theft.”
But encryption isn’t always the answer, and is rarely the complete answer. For databases or documents that need to be accessed, indexed, and searched most common encryption products make such access or search impossible. That’s because, for the most part, data is either encrypted (inaccessible) or searchable (accessible). So encryption is part of a security strategy, but not all of it.
And encryption – even strong encryption – may not be the panacea you think it is. In the South Florida criminal case, Christopher Glenn, a 35-year-old former defense contractor living in his mother’s retirement community, was convicted of stealing and retaining classified documents he obtained while working for the U.S. government in Honduras, which related to U.S. policy in the Middle East.
In preparation for his theft, Glenn, a “computer specialist” with a U.S. defense contractor, read up on data security in general and encryption in particular. He apparently read articles about TrueCrypt, a popular freeware encryption product used for On-The-Fly Encryption (OTFE), noting in particular an October 2011 article entitled, “FBI Hackers Fail to Crack TrueCrypt.”
Glenn figured that he could create an encrypted partition (called 2012 Middle East) on his drive. He created a 30-character passphrase, thinking that the data would be secured. Indeed, he estimated that it would take the FBI “billions of years” to crack the crypto through brute force.
He was wrong. And he was sentenced to 10 years in jail.
Is Crypto Secure?
According to case reports, the FBI’s counter-intelligence agents were able to decrypt the encrypted files on Glenn’s computer, which became evidence in his case. Given that this is 2015, they did so in substantially less than the “billions of years” that Glenn anticipated.
While the case file does not explain how the FBI did this, there are several possible explanations, each of which has repercussions for companies implementing encryption as their sole or primary means of protection against unauthorized access.
In the past, reported cases have demonstrated that the TrueCrypt product has, at least according to the government, thwarted efforts to obtain timely access to encrypted documents. In one case, In re Grand Jury Subpoena Duces Tecum, 670 F. 3d 1335 (11th Circuit 2012), a federal appeals court ordered a person to produce a decrypted volume to a grand jury, ruling that such compelled production of unencrypted data did not violate the Fifth Amendment.
In that child pornography case, the government experts testified that they were unable to decrypt the files encrypted with TrueCrypt, despite the fact that they found two unencrypted passwords on the drive. See also Commonwealth v. Gelfgatt, 468 Mass. 512 (Mass SJC 2014) (Court compelled the decryption of a TrueCrypt encrypted file because brute force was “virtually impossible.”)
So it’s possible (indeed likely) that Glenn kept a copy of his password or passphrase in an unencrypted location on the seized computer or that the government was able to obtain the password or passphrase through some kind of surveillance.
In 2001, the U.S. government was investigating the underworld activities of Nicodermo (“Little Nicky”) Scarfo when they found PGP encrypted files on his hard drive. Unable to crack the crypto, the government installed a logical KeyLogger System (KLS) on his computer to capture the passphrase and give them access to Little Nicky’s files. It turns out that Little Nicky’s passphrase was the Bureau of Prison’s (BOP) ID for his dad, “Big Nicky” Scarfo.
This points out that an encryption scheme is ONLY as secure as the password or passphrase that protects it. If you can get access to the computer (usually through malware inserted through phishing) you can capture BOTH the private key AND the passphrase.
It’s kinda like The Simpson’s episode Bart vs. Lisa vs. The Third Grade, where Bart and Lisa are lost on a field trip because of the teacher’s reliance on “the buddy system,” ignoring the possibility that two dependent variables could fail at the same time (go watch the episode – Season 14 episode 3, and you’ll know what I mean).
What’s worse, even without hacking, it’s possible to “brute force” not the crypto key but the passphrase. Indeed, the longer the required passphrase, the easier it is to crack. That’s because humans are notoriously bad at remembering things – especially complicated things. So we tend to pick things we can remember. (Password = password).
So we pick quotes from the Bible or Shakespeare (“It was the best of times, it was the worst of times”) or from movies (“My Voice is My Passport”) or other phrases that are easy to recall. So the FBI or a hacker need not spend billions of years guessing very large prime numbers. They need only guess what YOU would pick as a passphrase.
Another problem for Glenn may have been the encryption product he chose – TrueCrypt. Even though, as noted above, there have been a number of cases in which government agents have argued that TrueCrypt encryption rendered files impossible to read (or almost so) including the seized files of Brazilian banker Daniel Dantas (12 months of dictionary attack failed to reveal passphrase), and of Glenn Greenwald associate David Miranda, whose TrueCrypt encrypted files reportedly could not be read by MI6 as part of the Snowden investigation, TrueCrypt as a product may not be as secure as users think.
There are a number of vulnerabilities inherent in the product including the fact that the keys are stored in RAM, and therefore vulnerable to the so-called cold-boot attack (lower the temperature to keep the data in RAM longer) and scraping of passwords or passphrases.
The website for TrueCrypt now contains the following warning, “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues” and recommends that users migrate to the MS product BitLocker.
So that’s another thing for enterprises to worry about. Not only whether the encryption product is appropriate and secure, but also whether it CONTINUES to be appropriate and secure for the data secured by the crypto product or the crypto key. This is especially true for large databases that were encrypted 10 to 20 years ago. The product used to encrypt may no longer be up to the task. All products tend to get less secure over time, and crypto products are not immune from this rule.
Additionally, there is the problem with implementation – or, as they say, the fault lies not in the silicon but in the carbon. In the various crypto strategies employed in WWII, scientists at Bletchley Park in England were able to decrypt messages partly because of the users’ use of repetitive phrases. For example, the German word “An” meaning “to” followed by the spacer character X) or because of retyping characters after a mistyping.
So even a good product well designed and properly deployed with strong and hard to guess passwords or passphrases (or tokens or other authentication) can be defeated through poor implementation or social engineering (or password or key sharing).
We don’t know which, if any, of these methods the FBI used to decrypt Glenn’s hard drive or indeed, whether Glenn had copies of the encrypted files in an unencrypted directory. One lesson to be learned is that encryption is part of a solution, but isn’t the solution itself. The other lesson is, don’t mess with the FBI.
So the problem lies not so much with encryption per se – it’s still among the best methods we have to protect data (if properly implemented.) The problem is that we think that encryption solves all of our problems and that if data is encrypted it is protected.
Companies need to evaluate not only WHETHER they encrypt data, but when and how they encrypt data. For example, RAM scrapers capture credit card numbers and other personal information, which is encrypted, before the data is encrypted.
Companies need to evaluate whether their encryption products continue to meet their needs, and to test the effectiveness of the product and its implementation through pen testing and other processes.
All of this must be part of a comprehensive data security program which includes access control, data management, ingress and egress reporting, data loss prevention processes, intrusion detection and prevention, managed and monitored firewalls and other services, threat intelligence, and comprehensive incident response. There are no shortcuts here. Oh yes, and encryption, the right encryption.