March 8, 2018 // By Michael Lester
The following article was originally published on CSOonline.com and can be found here.
Nothing frustrates me more than reading on a website that a company is secure because it uses “military grade encryption” or “bank grade encryption.” Is it secure? It must be, because it uses “military grade encryption,” right?
There are a couple of truisms I’ve learned about security:
- How you do something is just as important as what you do.
- People are your weakest link.
- When asked about security, everyone lies about how much they have.
I have an aphorism that I use when discussing security with people: “If you put a military grade lock on a door next to a window, all you end up with is a very expensive, secure door and a broken window.” Yet this is what most websites do, and most people fall for it.
I am the cofounder of a company called LegacyArmour that protects people’s critical information and ensures that it gets to the right people at the right time. We use full end-to-end, zero-knowledge encryption techniques. My cofounder has a master’s degree in security technology and I’m a Certified Ethical Hacker and Certified Penetration Tester. We know a little bit about security, and we designed the system from the ground up with security in mind.
Do we use “military grade encryption?” Of course we do. We use AES-256 which has been certified by the U.S. government to protect information up to and including “Top Secret.” But the use of the algorithm that the military uses does not translate into achieving the same security as the military. Almost every cryptanalyst alive today will tell you that it is easier to achieve a side-band attack than it is to try to break the actual encryption. Besides, just the use of AES-256 doesn’t makes something eligible to hold military classified information. It has to use AES-256 within an approved NSA encryption module.
Great! What does that mean? That means that Truism No. 1 is indeed a truism. You can use the same algorithms that the military uses, but if you implement them in the wrong way, they are useless. In other words, “how” matters just as much as “what.”
Here is an example: let’s say you wrote someone a postcard and mailed it to them. Once they received it, they locked it inside a bank vault and told everyone that it was protected by “banking grade security.” It must be. It is in a bank. The problem is that before it was put into the vault, it was in clear text, visible to multiple mail handlers along the way, and it was visible to the person who received it and put it into the vault. Also, if the person who put it into the vault became disgruntled, they could go get it out and expose it. (Truism No. 2.) And, if the government subpoenaed the recipient, they would be forced to turn it over. Knowing that, would you send someone a postcard with your social security number, birthday, and banking access user name and password on it?
Clearly, this isn’t a good idea, but people do it every day because they don’t understand how real security works. What is really frustrating, is that if you have a company that is truly dedicated to security like mine is, it is almost impossible to educate people enough about end-to-end, zero-knowledge encryption so that they can make an educated choice. They hear the sizzle and imagine the steak, but all they are really getting is a lot of fried bologna. (Truism No. 3)
There are certifications that a company can achieve that give the consumer some indication of how secure they are, but many of those certifications concentrate more on the what than the how, and our example has shown that that isn’t enough.
Until we do come up with a new (or modify an existing) certification framework that addresses not only the what, but also the how, consumers will continue to be misled by this kind of advertising. Unfortunately, most of them won’t know it until after their information has been compromised.
Post script: I frequently run some of my stories past my 12-year-old twins to make sure that I am making sense. I told them the example of the postcard going through the mail with all of the intensity and passion that I felt. They listened intently, and smiled and nodded their head along with me as I made my points. At the end, I asked “Does that make sense?” One of them said, “Absolutely! But what’s a postcard?” (Sigh.)