How to exchange secrets.

If you work in an organisation that does anything interesting at all, chances are your company has secrets, passwords, tokens and credentials to keep customers data, and sometimes their money, secure.

As this incredible, terrifying infographic shows, organisations are increasingly terrible at keeping secrets.

Almost every one of these data breaches was the result of a secret that should have been kept confidential, leaking. So how do these secrets get out there? and what can you do to stop your self being the weak link?

Social Engineering.

One of the biggest risks, is that of you or your colleagues being tricked into revealing secrets.

Attackers will try to social engineer passwords out of staff. They usually don’t go straight for the crown jewels either, they’ll start with something simple; “i’m locked out of my email, can you reset my password”.

Once they’ve got 2 or 3 email account passwords, they’ll use them to send a few emails at the same time asking a sysadmin to reset something more important, a Virtual Private Network (vpn) credential or something that should be more secure.

There’s a simple way to protect yourself from this kind of attack . Its called “Trust, but verify.” Here’s how it works.

Say your CEO emails you at 11pm at night as asks you to reset his website password. What do you do? Do you quickly change his password and email him back? or do you send him a text message “Just confirming it’s you that’s asked for a password reset.”

Passwords sent insecurely.

Another huge risk is people emailing around passwords, or pasting them in Slack. This is especially true for passwords that are used to authenticate a system or a company to another one. Think things like database passwords, administrator passwords etcetera.

Theres lots of bad ways to send secrets:

  • Emails are often sent over the internet unencrypted and can be read on the way.
  • Passwords sent by text message can be pinched by sophisticated hackers using IMSI catchers and fake base stations.

Passwords left lying around.

Attackers love rummaging through dumpsters, both real, and metaphorical.

If you’re in a totally secure slack channel with just you and another engineer, and you think, “Cool, its just us here, we can totally just copy/paste the passwords”.

6 years later you get hacked and it turns out that some rogue inside threat scrolled _all the way back_ to the early days of your business and found the passwords right there.

Don’t leave passwords on post it notes.

Don’t leave them in chat rooms.

Don’t leave them in your email.

How to do it right?

There’s a few safe, good ways to transmit passwords right now:

PGP/GPG

Learn to use PGP. Either install Thunderbird, Enigmail and GPGTools on your mac, or just install GPG tools and use the command line.

Sending me a secret securely is as easy as running these commands in a terminal window (Linux, or Mac with GPG Tools installed).

gpg — recv-keys D78311AD
gpg -e -a -r D78311AD

Hit CTRL-D to end typing your message.

Then simply copy paste the block of PGP encrypted data into an email.

Thats it.

How to do it right with other semi-technical parties.

The problem you’ll often hit, is that even if you learn how to store and transmit secrets, the person you’re talking to might not.

Striking the right balance between keeping secure and, looking like a paranoid jobsworth is something thats not easy. It’s important that your company culture encourages people to take their responsibility to your customers seriously.

One good suggestion is to use Signal. A free instant messaging tool for Android and Iphone that uses strong end-to-end encryption.

Another way that works well for external suppliers is to “schedule a call to securely relay the password”. This is especially useful as it lets the other party know that you take security seriously. Once they read the password out to you, you can encrypt it using GPG, or put it in a password manager like KeypassX, 1Password or LastPass.