Commentary Sophos Security Insights
SXSW's Social Experiment Tests Limits Of Secure Data Encryption And The Human Condition
Reducing your fellow, fallen-on-hard-times human beings to virtual access points discounts their humanity and may compromise your data's security
The recent media purge (and I mean that literally) associated with the "Homeless Hot Spots" at the 2012 SXSW Interactive conference not only served as a bellwether of how ubiquitous we demand our connectivity to be, but also how we will gladly take advantage of others to satisfy that addiction, even at the risk of disclosing confidential data.
In fact, I'm guessing decision-makers at BBH (Bartle Bogle Hegarty) Labs, the New York-based marketing company that first proposed the idea of turning the homeless into fully functioning Internet access points, had their hearts in the right place.
Or did they?
The SXSW "Experiment"
As the LA Times reported, this "experiment" all started with the following BBH Labs blog post:
"This year in Austin, as you wonder [sic] between locations murmuring to your coworker about how your connection sucks and you can’t download/stream/tweet/instagram/check-in, you’ll notice strategically positioned individuals wearing "Homeless Hotspot" T-shirts. These are homeless individuals in the Case Management program at Front Steps Shelter. They’re carrying MiFi devices. Introduce yourself, then log on to their 4G network via your phone or tablet for a quick high-quality connection."
As detailed by the Times, the outcry was loud and, in some cases, vitriolic:
>> "Sounds like something out of a darkly satirical science-fiction dystopia; homeless participants gain nothing in the long term, and lose a measure of their humanity." -- Tim Carmody, Wired
>> "The digital divide has never hit us over the head with a more blunt display of unselfconscious gall. Their (the homeless individuals volunteering for this service) shirt doesn’t say 'I have a 4G hotspot. ' It says 'I am a 4G hotspot. '" -- Jon Mitchell, ReadWriteWeb, who goes on to dismiss the hot spots as well-meaning "helpless pieces of privilege-extending human infrastructure."
>> "It has to do with digital divides, haves and have nots, and the idea that a fellow human being is of no more use to you than as an Internet jack." -- Eric Berger, Houston Chronicle.
Morals and ethics aside (and believe me when I say there were heaps of both that were apparently turned aside when this experiment actually went live), and dismissing for the time being the nominal (depending on which media outlet you believe) $20 or $50 a day plus tips ($2 to $5 per 15-minute session) paid to the homeless participants, I have to wonder: How many of the SXSW faithful were using these human MiFi "channelers" to access secured networks or transmit confidential, unsecured, and unencrypted data? And, parenthetically, how many of their counterparts in other public places were doing the same and not thinking twice about hitting "send," or, dare I say it, giving their homeless access point sa second glance (much less a tip) when their "session" was complete?
Your Data. In Public. At Risk
But hey, what could go wrong? Turns out plenty, including:
>> Phishing attacks. The normal guidance for users is to never click on untrusted links for things like online banking, but to always type in the URL for www.examplebank.com. Controlling the router lets an attacker get around that control easily so you could end up at a site that will grab your online banking credentials as you log in.
>> Malware attack. You can be rerouted to a site that will attempt to download malware onto your computer even though you specified a known good URL.
>> Inline data injection/modification. An attacker could modify any data in transit. This would be hard to do from the perspective of a user of the wireless network, but it's much more straightforward for an attacker if all data were routed via a server they control.
>> Rogue networks. For example, an attacker could go into a coffee shop that does not offer wireless and set up his laptop as an access point, put login info on a couple of tables, and just wait for people to join his network. He then has complete access to their network traffic unless they are encrypting their communications.
>> DNSChanger. This alters the network settings of the router to reroute traffic to malicious servers, invisibly to the hotspot users.
Besides, all of these well-documented threats fly in the face of one of security’s top commandments: tThou shalt never trust public WiFi networks. Why? Because the folks who run them probably weren’t thinking about enterprise-grade security when they initially set them up.
Attack tools such as Firesheep have shown what can be found on an open, public WiFi network. The Firefox Web browser extension uses a packet sniffer to intercept unencrypted cookies from certain websites as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities. It shows the discovered identities on a sidebar displayed in the browser, and allows the user to instantly take on the log-in credentials of the user by double-clicking on the victim's name.
Sometimes you will find yourself with no option but to use an untrusted network. In these cases, some forward planning can save you from circumstance. If remote access is required to access business resources, then set up a VPN so that all communications are encrypted (over and above whatever may or may not be in place on the WiFi network). If you use cloud storage for business files, for example, for easy retrieval while on the road, then make sure the files are stored encrypted. Not only does this ensure that the cloud storage provider can’t leak your data, but it also means that anyone sniffing your WiFi traffic will get a file they can’t read.
In other words and to paraphrase the Boy Scouts pledge, always be prepared, meaning encrypting your data in-flight, at-res,t and especially in the cloud. And, based on recent announcements, it appears more companies are taking that advice.
Encryption As A Strategic Outcome
Recently, Thales, a global technology leader for the Defense & Security and Aerospace & Transport markets, based on independent research by the Ponemon Institute, published its 2011 Global Encryption Trends Study that found encryption is now seen as a strategic issue, and that organizations are increasing their investment in encryption across the enterprise in response to compliance regulations and cyberattacks.
The survey of more than 4,000 business and IT managers in the U.S., U.K., Germany, France, Australia, Japan, and Brazil found that encryption deployment rates vary across different countries. Germany, the U.S., and Japan show the greatest use of encryption. However, what is clear is that encryption is growing in importance in all the countries, with companies increasingly deploying encryption as part of an overall data protection strategy. In 2005 only 15% of organizations surveyed had an encryption strategy; today, for the first time, there are more organizations with an encryption strategy than without.
According to the joint press release, encryption is now viewed as a strategic issue, with business leaders gaining greater influence over their organizations' encryption strategies. The study shows that the CIO, CTO, or IT leader still tends to be the most important figure in deciding encryption strategy (39% of respondents), but non-IT business managers have an increasing role in determining that strategy (more than double since 2005 to 21% of respondents), demonstrating that encryption is no longer seen as just an IT issue, but one that affects an entire organization.
The main drivers for deploying encryption solutions are to protect brand reputation (45%) and lessen the impact of data breaches (40%). Compliance is also a major driver for using encryption, with 39% of respondents saying it is to comply with privacy or data security regulations and requirements. Compliance is, in fact, the No. 1 driver for using encryption in the U.S., U.K., and France.
Encryption For The Public Cloud
So how do you apply encryption when transferring data into the public cloud, whether in Internet cafes, on a beach, in a public library, or even at (a future edition) of SXSW?
>> Treat every endpoint as both an access portal as well as a security risk. In other words, encrypt data before it’s needed, as it’s needed, and when it’s no longer needed.
>> Entrust users to follow corporate-wide encryption policies. But, as U.S. President Ronald Reagan was fond of in cautioning counterpart Russian President Mikhail Gorbachev, "doveryai, no proveryai" (trust, but verify).
>> If you’re an ITSec administrator, "blunt" user behavior (e.g., instant gratification) by enforcing sensible encryption policies and apply them uniformly and consistently to all (known) BYOD devices.
An end-to-end solution for directly managing the encryption of data stored locally or in the cloud allows users to define, manage, and own their encryption keys to secure designated files. Users can have access to files at any time, whether behind the firewall or in the cloud, as well as consistent encryption standards at every point.
An end-to-end encryption solution also allows users to choose their preferred cloud storage services because the files are always encrypted and the keys are always your own. And because encryption takes place on the client before any data is synchronized, you, Mr. ITSec administrator, have full control of the safety of your data. You won't even have to worry if the security of your cloud storage provider is breached because any data extracted, ergo, will be encrypted.
Finally, and because it's the right thing to do, if you're attending a citywide festival or conference this summer (and in case some other "forward-looking" digital ad agency decides to duplicate this same or similar social "experiment"), tip your homeless Internet access point a few bucks. It won't solve his homelessness or restore any dignity, but at least you'll be paying that person for his time and, hopefully, the (secure) transmission of your (encrypted) data at near-bargain basement prices.
Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, Web Threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.