How to exchange secrets.

Simon Vans-Colina
Nov 10, 2015 · 3 min read

If you work in an organisation that does anything interesting at all, chances are your company has secrets, passwords, tokens and credentials to keep customers data, and sometimes their money, secure.

As this incredible, terrifying infographic shows, organisations are increasingly terrible at keeping secrets.

Almost every one of these data breaches was the result of a secret that should have been kept confidential, leaking. So how do these secrets get out there? and what can you do to stop your self being the weak link?

Social Engineering.

One of the biggest risks, is that of you or your colleagues being tricked into revealing secrets.

Attackers will try to social engineer passwords out of staff. They usually don’t go straight for the crown jewels either, they’ll start with something simple; “”.

Once they’ve got 2 or 3 email account passwords, they’ll use them to send a few emails at the same time asking a sysadmin to reset something more important, a Virtual Private Network (vpn) credential or something that should be more secure.

There’s a simple way to protect yourself from this kind of attack . Its called “Trust, but verify.” Here’s how it works.

Say your CEO emails you at 11pm at night as asks you to reset his website password. What do you do? Do you quickly change his password and email him back? or do you send him a text message “Just confirming it’s you that’s asked for a password reset.”

Passwords sent insecurely.

Another huge risk is people emailing around passwords, or pasting them in Slack. This is especially true for passwords that are used to authenticate a system or a company to another one. Think things like database passwords, administrator passwords etcetera.

Theres lots of bad ways to send secrets:

  • Emails are often sent over the internet unencrypted and can be read on the way.
  • Passwords sent by text message can be pinched by sophisticated hackers using IMSI catchers and fake base stations.

Passwords left lying around.

Attackers love rummaging through dumpsters, both real, and metaphorical.

If you’re in a totally secure slack channel with just you and another engineer, and you think, “”.

6 years later you get hacked and it turns out that some rogue inside threat scrolled _all the way back_ to the early days of your business and found the passwords right there.

Don’t leave passwords on post it notes.

Don’t leave them in chat rooms.

Don’t leave them in your email.

How to do it right?

There’s a few safe, good ways to transmit passwords right now:

PGP/GPG

Learn to use PGP. Either install Thunderbird, Enigmail and GPGTools on your mac, or just install GPG tools and use the command line.

Sending a secret securely is as easy as running these commands in a terminal window (Linux, or Mac with GPG Tools installed).

gpg — recv-keys D78311AD

gpg -e -a -r D78311AD

Hit CTRL-D to end typing your message.

Image for post
Image for post

Then simply copy paste the block of PGP encrypted data into an email.

Thats it.

How to do it right with other semi-technical parties.

The problem you’ll often hit, is that even if you learn how to store and transmit secrets, the person you’re talking to might not.

Striking the right balance between keeping secure and, looking like a paranoid jobsworth is something thats not easy. It’s important that your company culture encourages people to take their responsibility to your customers seriously.

One good suggestion is to use Signal. A free instant messaging tool for Android and Iphone that uses strong end-to-end encryption.

Another way that works well for external suppliers is to “schedule a call to securely relay the password”. This is especially useful as it lets the other party know that you take security seriously. Once they read the password out to you, you can encrypt it using GPG, or put it in a password manager like KeypassX, 1Password or LastPass.

Simon Vans-Colina

Written by

I remember when the internet meant running slip over telnet. Co-founder @LondonAerospace & @CryptoCLASS. Pope of the Church of Erisian Discordianism. Extropian.

Simon Vans-Colina

Written by

I remember when the internet meant running slip over telnet. Co-founder @LondonAerospace & @CryptoCLASS. Pope of the Church of Erisian Discordianism. Extropian.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store