A Quantum Leap in Information Security

No matter how sophisticated the encryption techniques used to protect confidential information, security compromise is a real issue unless steps are taken to protect it across the board.

I was a janitor years ago, and several of our clients were brand-name banks. One of them, Wells Fargo, did not even do a security check on us, thinking perhaps that if we did not have codes to their vaults, they were protected. Not so. Were I so inclined I could have stolen far more from Wells Fargo than the piddly contents of their vaults. All it would have taken is for me to plug keyboard dongles into the backs of the computers on their teller lines to capture keyboard traffic - including login passwords, account numbers, and personal information galore.

Another bank, Hibernia, did not lock their server room. It would have taken less than a minute to hot-swap a drive out of their RAID with a blank drive, then taken their drive home and dumped its contents. Like Wells Fargo, Hibernia did not run a security check on us, either.

The only thing that protected both banks was my sense of personal integrity.

Ironically, both banks had posters/brochures that boasted about their protection of "your privacy."

What protection? Were I so inclined, I could have had free access to all the info I needed before it ever saw an encryption algorithm.

-e

No matter how sophisticated the encryption techniques used to protect confidential information, security compromise is a real issue unless steps are taken to protect it across the board.

I was a janitor years ago, and several of our clients were brand-name banks. One of them, Wells Fargo, did not even do a security check on us, thinking perhaps that if we did not have codes to their vaults, they were protected. Not so. Were I so inclined I could have stolen far more from Wells Fargo than the piddly contents of their vaults. All it would have taken is for me to plug keyboard dongles into the backs of the computers on their teller lines to capture keyboard traffic - including login passwords, account numbers, and personal information galore. Then, come back a few weeks later, collect my dongles, then go on a spending spree courtesy of Wells Fargo's customers. Now, wouldn't that be some egg in their face! How much is a national reputation worth? More than what was in those vaults, methinks?

Another bank, Hibernia, did not even bother to lock their server room. Worse, during some upgrade they were doing, their people even left the server rack outside their wiring closet, with all the cables running back inside. It was out in the open where even customers could see it during business hours, and sometimes, for a few minutes at a time, there weren't any tellers in view. One hop over the counter, grab a RAID drive, hop back, and exit through the front door. Even in our case it would have taken less than a minute to hot-swap a drive out of their RAID with a blank drive. I could've then taken their drive home and dumped its contents to my heart's content. Like Wells Fargo, Hibernia did not run a security check on us, either. What's wrong with this picture? Hello?

The only thing that protected both banks was my sense of personal integrity. But neither do I do business with either bank because the next janitor to come along may not have any scruples and there's no way to really know. The guy might just be a computer whiz down on his luck and desperately in need of cash - and morals.

Ironically, both banks had posters/brochures boasting about their "protection of your privacy." What protection? Were I so inclined, I could have had free access to all the info I needed before it ever saw an encryption algorithm.

What many organizations need is a Quantum Leap In Common Sense. Heck, a leap of any kind at all would be an improvement over the pre-information-society "measures" presently taken.

-e

Something very fundamental bothers me about digital encryption techniques: Whatever you may develop, someone will copy. Not decrypt, but copy. Reverse-engineer. Just tap-in and copy.

Any encryption engine is after all, a segment of data. You may fragment it back and forth, to re-assemble the key or the hole, You may multi-layer the engine, with each layer controlling the next, and in fact windows anti-piracy mechanisms follow much the same type of effort, but eventually they all collapse because you cannot manage to avoid tapping and reverse-opening the keys.

The on-going effort to out-jog yourself and re-invent new multilayer fragmented key algorithms, are not much more than an elaborate effort to impress gullible clients, unless real attention is given to tight-shut the tapping holes in a system.

Where it really matters, they do just that.

apologies for the double post.