Thursday, February 02, 2012

Why we have jobs in cybersec

I just got an email from my accountant:
Attached, please find your 2011 Tax Organizer, which has been password protected. The Password is the FIRST FOUR digits of the taxpayer's social security number.

This seems reasonable. After all, your card for ATM machines has only a 4 digit PIN number. In addition, since the LAST 4 digits is so often used, many people know it, so they chose 4 digits that somebody else wouldn't know.

But of course, the problems with this are obvious to any professional.

There are three reasons why 4 digits work for ATM machines, and why they don't work here.
  • The ATM card itself the PRIMARY security, the PIN number is only SECONDARY.
  • Guessing the PIN number is "online" (you can only guess a few numbers before the ATM machine eats your card), but PDF guessing is "offline" (you can make as many failed guesses as you want).
  • The third reason things are different is that stealing money from an ATM is limited to only a few hundred dollars, whereas documents from your accountant can lead to loss of all your money.
I can pay my neighbor's kid $20 to sit in front of a computer for a couple hours trying all 10,000 combinations until they guess the right password. The kid might get smart and google social security number prefixes and reduce the number of attempts by quite a lot. Indeed, if he could figure out where I was born, he might reduce his search to only a few hundred attempts, because the first three digits are assigned by which state you are born in. Which is why people ask you for your last 4 digits rather the first 4 digits, because they are so easily guessed.

Or, I can download free software to do it for me. I downloaded this program and after 2 seconds of crunching numbers, it came up with the right password:

(This image is edited, of course, my SSN# does not actually start with "5967".)

So, what's the right solution? You can't send an encrypted PDF and the password in the same e-mail (as some people do), because then hackers yet again and decrypt the PDF. Instead, you have to exchange passwords "out-of-band", such as on the phone or when you visit the office. The encryption is only as strong as the password, so you have to choose a long one (more than 12 characters that are hard to guess).

The REAL correct solution is for vendors to better integration PGP or S/MIME into email systems. PDF encryption was chosen in this case because it's built-in. Likewise, generating public/private keys should be built into every e-mail system -- but it's not.


jduck said...

I couldn't agree more. I think legal encumberment (licensing, patents, etc), or even just the perception of it, have prevented widespread adoption.

IMHO, anyone that emails you should ask for your public key and use it for ever email they send you. This is ESPECIALLY true for banks, accountants, etc.

bw said...

I'm impressed your accountant bothered with encryption. One organization I dealt with sent me cleartext email copies of all the paperwork for my safekeeping. This was after I told them I wouldn't just email the docs over because it wasn't secure and pointed out that the practice is likely a violation of GLBA, since they were a financial institution.