Wednesday, November 21, 2007

Yet another security lapse

And so Her Majesty's Revenue and Customs (am I the only one who thinks that should have been the other way around?) has lost data on every person receiving child benefits, that's names, addresses, dates of birth, bank account details. Of course they haven't lost it per se, they've still got the data what they've lost is a copy that was burned to two CDs and sent in the unregistered unmonitored internal mail between two buildings.

My first thought was "So what?" even if someone did pick up the discs the data is encrypted, except every time it got mentioned it was in connection with 'password-protected' which may be worrying. I need to expound.

Both encryption and password protection can mean the same thing, the data (information) is jumbled up according to a formula; except when talking passwords the key to that formula is normally short and with 'encryption' the password is long. Secondly with passwords the key is confined to a subset of characters normally alphanumeric.

So if we say 26 letters upper or lower case plus 10 numbers we're looking at 62 possibilities per 'letter', for an 8 length password that's 628 or 218,340,105,584,896 combinations. If it's a word that follows rules (like u follows q) then that number drops. With computer encryption we're talking of a possible 128 length (or more) key made up of 0 or 1's so that's 2128 or 340,282,366,920,938,000,000,000,000,000,000,000,000 possibilities. A bit of a difference.

It gets better, if the software is written correctly then it can use a 128-length key based on say the registration details of the software, which means that all computers using that software with that registration can read the data*, which when exported for some reason is encrypted again using a password encryption.

Cracking the password simply results in a string of data that looks the same as another string of data using the wrong password. In other words each time you test a password you need to then parse the data through the software running with the same registration key, which you also don't know. The phrase time-consuming comes to mind.

So to be blunt I don't mind too much if this information has ended up in the hands of criminals if it's been afforded the same levels of protection as any big business would take. Now if it's been exported to a certain popular spreadsheet program and then simply password-protected I expect it'd break in less than a day, but our government wouldn't buy a program that'd allow that; would they?

[Update - Something I failed to mention was the underlying need to both burn this data and that apparently a junior minister had access to the entire database. The first is simple when you consider each department as its own fiefdom with little cooperation between them, the second just points out poor security measures internally.]

*For those curious as to why you'd encrypt the data internally, well except to prevent on-site theft it also needs backing-up. Now do you want your IT department to have access to the payroll and accounts system data?

2 comments:

septicisle said...

Well, about the only thing we do know is that it was password-protected and not encrypted. So was the database itself, presumably as you say, exported to a spreadsheet program and password using that, or was it zipped or rared and then that passworded? Either way, that sort of protection, especially if it's a simple word and not a mixture of numbers and letters, can be brute-forced in a matter of hours with any number of free programs available.

FlipC said...

As I've said they can be equivalent with it simply indicating the level of strength. ITV had someone crack a password-protected file in 45 seconds, though we've no idea if it was the same type as the HMRC stuff.

As I mention using the phrase password protected does indicate it as weak, but you're correct in that no-one has mentioned at what level the password was set. Not that fundamentally it makes a difference.