- BlogInfoSec.com - https://www.bloginfosec.com -

Is Encryption Evil or Just Not Worth It?

This is a strange question for an InfoSec professional to pose, don’t you think? But it’s not so far-fetched as it may seem.

Take, for example, the common assertion that most cyberattacks are at the application layer level. Whenever this is the case, then hijacked customer accounts, say, allow for unfettered access to in-the-clear data accessible via those applications that have been compromised.

Then, we should consider cyberattacks where in-the-clear credentials are skimmed at the point of entry. This was the supposedly the case with a recent British Airways breach, reported by BBC News on September 7, 2018. This was claimed to be a so-called “supply chain attack,” whereby “malicious” code, provided by third parties, is inserted into the website or app and data entered by customers are siphoned off. In this example, the attackers were able to obtain not only credit card numbers but also the CVV codes, even though the latter are not usually allowed to be stored by companies, such as British Airways. And, even if they were stored on the company’s computers and encrypted, it would not have helped since the data were captured at the point of entry. The same goes for usernames and passwords, by the way.

Therefore, it is not obvious that encryption is of value for protecting data in the many cases where accounts are hijacked and data skimmed at entry. Encryption mostly makes lawmakers and regulators happy (and encryption vendors and hardware manufacturers very happy) without offering much in the way of the protection that is needed.

On the other hand, encryption is of huge value to the bad guys, especially those lurking on the Dark Web. Criminals love it. It allows them to conduct their illicit businesses anonymously with relatively little chance of getting caught.

While there are valid and good reasons for anonymity, such as individuals wishing to make charitable donations without attribution, encryption is not needed to achieve such anonymity. Use of anonymity via encryption is used by dissidents as well as terrorists. But whether one side is considered “good” or not depends on which side you are on and the particular point in time.

So, what’s the point? The point is that, for large swaths of commerce and government, encryption is of marginal value and a possibly a waste of time, effort and resources, unless (as I mentioned) you are a purveyor of security products and services. Even Bruce Schneier, one of the fathers of encryption, reveals in an early definitive book, “Secrets and Lies,” that security is only as good as the weakest link, which is generally not the encrypted part..

People may think that encryption protects their privacy, but it really doesn’t do much in that regard. Of course, there are examples where encryption helped the good guys, but you don’t see much of that in the press. Yes, reporters don’t often comment on the avoidance of bad things happening … that’s not newsworthy! But they frequently report on breaches where huge volumes of sensitive data are exfiltrated in readable form—otherwise it’s not considered a data breach. And such attackers can readily get data in usable form, that is, in the clear, otherwise it’s not considered a data breach.

To add insult to injury, a September 12, 2018 article by Zach Whittaker, “Security flaw in ‘nearly all’ modern PCs and Macs exposes encrypted data,” available at https://techcrunch.com/2018/09/12/security-flaw-in-nearly-all-modern-pcs-and-macs-leaks-encrypted-data/ [1] , describes how commonly-used disk-encryption software, such as BitLocker for Windows and FileVault for Macs, can be compromised by researchers who circumvent encryption and access “protected” data “in a matter of minutes.”

While encryption is not inherently evil, it may not be as effective, nor as good, as people think it is. And one more thing … if the key is lost, so are the data.