Saturday, July 4, 2009

How will my loved ones break my password?

image Just a few days ago I posted about a new Swiss web service from DataInherit to manage the life cycle of your sensitive data and credentials. Coincidentally Cory Doctorow has an article in the Guardian this week on the same topic, fretting about passwords being carried off with loved ones into the next life. While creating a will with his wife, Doctorow was stumped by how to deal with his data, and specifically the secrets that protect that data. His various hard disks are protected by AES-128 bit encryption and a passphrase that is unlikely to succumb to anything less than quantum leaps in quantum computing. So while Doctorow feels safe against attacks on his data, he wonders about the following scenario:

But what if I were killed or incapacitated before I managed to hand the passphrase over to an executor or solicitor who could use them to unlock all this stuff that will be critical to winding down my affairs – or keeping them going, in the event that I'm incapacitated?

After considering several technical and non-technical approaches he finally decided on the following solution

I'd split the passphrase in two, and give half of it to my wife, and the other half to my parents' lawyer in Toronto. The lawyer is out of reach of a British court order, and my wife's half of the passphrase is useless without the lawyer's half (and she's out of reach of a Canadian court order).

Doctorow remarks that the surprising outcome of this process was the realisation that we are missing a well-known service for handling key escrow in an era of military grade encryption being available to home users. He concludes that “you need to figure this stuff out, before you get hit by a bus and doom your digital life to crypto oblivion”. I think that DataInherit will be giving him a call.

Friday, July 3, 2009

Excellent Awareness talk from British Airways

There were several great talks at the recent ENISA conference on raising IT Security Awareness. I would like to mention one here from Robert Hadfield of British Airways called “Silver Bullets, Kangaroos and Speed Cameras”, which is embedded below from Scribd.

Hadfield began by reporting on an experiment where 100 identical emails with an executable attachment were sent to employees marked as urgent. The result was that 84 people opened the email, and 69 also executed the attachment. So he said we have a problem with people. To justify a security awareness program he gave the following very wise reasons

  1. Simple human error, ignorance or omission is most commonly at the root of any security breach
  2. We need to enable employees to acquire security knowledge by using there own reason, intuition and perception. We must seek long term behavioural change.
  3. Pound for pound, raising awareness will improve security far more effectively than any technical solution can ever hope to achieve.

He also noted that since the average cost of a security breach is about £50,000 then awareness programs can pay for themselves if they can prevent one or two of these incidents per year. Even so, how do you effect change on a group of 45,000 mostly disinterested employees? Hadfield found great success in meet-the-people workshops & roadshows, which were reported as a very effective awareness mechanism by other speakers and the ENISA workshop as well, and also the main conclusion from an ENISA survey conducted by PwC last year. Hadfield reports that over 200 workshops have been undertaken this year resulting in over 2000 people being trained. BA also uses other channels besides workshops, and one of their clever posters is shown below - a reminder to users to lock their desktops when wandering off for a coffee.

image

I am leaving out many clever observation and graphics so please take a look at the presentation for yourself.

IT Security Awareness presentation from British Airways, June 2009

Wednesday, July 1, 2009

The DataInherit Service – Swiss Secure Internet Escrow

I would like to announce the availability of a new secure internet storage service called DataInherit, co-founded by one of my former Swiss colleagues Tobias Christen. DataInherit is more than secure storage – it is a service for keeping sensitive data and credentials in trusted escrow for defined beneficiaries. This is an implementation of digital inheritance, supporting the ongoing life cycle of digital data. The DataInherit site contains a good explanation of their vision, and you can read more about the DataInherit security architecture on Scribd (document embedded below).

Digital Inheritance