Disk Encryption: Customer Notices Security Gaff, Prompts ISP To Investigate.

There are many reasons to properly protect data on laptops.  Among them is this overlooked one: a customer might catch you being less than secure, as theregister.co.uk reports, something that I’ve never given consideration before.

On the other hand, is that so surprising?  After years of hearing how companies and government organizations have lost people’s sensitive data, it’s only natural that people will take an interest in data security issues.

Hull’s #1 Telco Involved

The story involves one Chris Hill who signed up with KC, an ISP that’s apparently the dominant service provide in the region of Hull, UK.  An “engineer” showed up at Hill’s home and,

He used a laptop to connect to the router and as he came to the user ID and password for my connection he opened a spreadsheet and looked my phone number up in it. There was my user ID and password, in plain text, along with everyone else’s. He tried to shield it from me when he realised I was looking at the list.

Scandalous?  Maybe.  This is the thing:  We’re talking about a guy (the engineer) who already has access to this data as part of his work.  If he doesn’t have that data, he can’t complete his job; so, he has to have it.  Thus, the fact that he’s able to access it is also not wrong.  Furthermore, that he has a list of them is also (possibly) not wrong.  Maybe he has to visit five locations and do the same job over and over.  Or maybe his work schedule has been prepared for the entire week.  That the passwords were visible in plain text?

Also Not Wrong

That’s right, it’s not wrong that the engineer had the list showing in plain text.  I mean, the guy’s a person, for Chrissakes!  Are we to assume that he can read the password in encrypted form?  Of course he had it in plain text!

The real question, from a security standpoint, is this: Was encryption software used to protect the spreadsheet that contained the list?  If not, was the computer protected with laptop encryption software?  (The answer to the latter appears to be “yes”).

Based on the story I’ve read, it almost appears that Mr. Hill was having exception with the presence of plain text files.  Storing passwords in plain text form is bad – a bad idea, a bad practice, a bad policy, a bad etc.; however, that doesn’t mean that passwords must always stay encrypted.  That’s stupid.  It’s like finding out that the safest car is the one that’s not moving, so you buy a car and keep it parked forever.  That’s not how things work.

If someone has to hand you the password (the user at home), it’s going to have to be in plain text.  If someone has to program the password to a device, it’s going to have be in plain text.  The presence of plain text is not necessarily a data breach.

It Happens to FDE, Too

Consider full disk encryption, a tool that is relied upon by doctors, lawyers, accountants, and other people who make it their business to collect and work with personal data, and thus risk a data breach on a daily basis.  Full disk encryption (FDE) is a marvelous, simple tool; however, it does have a weakness.  It’s not active while you’re using a computer.

While you’re working on your computer (sending an email, playing a game, checking Facebook), the computer is not encrypted.  And rightly so.  Like our engineer above, you’re unable to read or work with encrypted data (at least, I suppose you’re not able to).

The moment the laptop is shut off, however, the FDE goes into “active” mode again.  This includes instances where the battery runs out or if the computer was only running from a power outlet but got plugged out.

So, there is a window of opportunity (or risk, depending on how you look at it) where data could be breached even if you are using FDE.  But how else would you have it?  Would you never turn on your computer?  Or not use FDE?  (That’s a terrible idea, by the way).

Related Articles and Sites:


Comments (0)

Let us know what you think