Saturday 24 October 2015

Is it encrypted

TalkTalk have just announced that they've been hacked. The details of four million customers are in play.

The big question that they're being asked is, "Was the data encrypted?" The answer, currently, is "I don't know".

This is, of course, a silly question. And a silly answer.

Data encryption is, in this case irrelevant. Standard practice, is to store sensitive data on an encrypted file system.  That way, if the computer is physically stolen, the data is safe. This is great for the "laptop left in a train" scenario, but a database with the details of 4,000,000 customers won't be a laptop. It's also great in a "burglars ram-raid the datacenter" scenario, because although they've stolen the hardware, they can't access the data.

But in a scenario of "authorised user accessing the data", the encrypted data will be decrypted and supplied, because the authorised user gave the correct decryption key.

So, let's imagine a big company, with the sensitive details of 4,000,000 customers stored on a server. That data is there because it gets used. For billing, for marketing, for tech support. But it's encrypted, so only authorised users can access it.

Now let's imagine a wily hacker, who uses an SQL injection vulnerability, or a PHP vulnerability, or a Wordpress vulnerability, or any one of a zillion other vulnerabilities, to get root priviledge, and is now logged on as the root user. He can now log on as any user on that computer, and because he's an authorised user, he has all the access to the sensitive database that the kosher user has.

That's why "Is it encrypted" is a silly question. Because it actually doesn't matter in the hacking scenario we're looking at here. And that's why "I don't know" is a silly answer, because the correct answer is "Of course it is, do you think we're idiots? But the fact that it's encrypted, doesn't stop the hacker from accessing (and copying) it, because, see above."

Aren't there any people who understand about computer security in the media? Or in Talktalk?


  1. Perhaps your protégé, GC, is on holiday..

  2. ...

    People aren't talking about the full-disk encryption that you're saying "shouldn't matter here". People are talking about their SENSITIVE INFORMATION being encrypted on top of full-disk encryption, things that can cost them money, like credit card details, debit card details, you SSN, anything that can be used to either steal money directly from you or steal your identity and from there your money. For that, those fields need to be encrypted on top of the FDE, so even if they can get a database dump from an unencrypted source, they still need to spend a lot of time figuring out how to decrypt those fields.

  3. But the same thing applies. If you're authorised to have access to the sensitive info, then it'll be decrypted when you access it. So if the hacker is logged on as an authorised user, they have access to this data, even though it's encrypted a second time.