Blog / Too Many Cooks Spoil Security
Recently, a vulnerability was discovered in relation to an email encryption program that’s been around for many, many years.
The software in question is called PGP (Pretty Good Privacy.)
Emails are often transmitted in plain text (back in the day, it was always plain text.)
Even if the emails were encrypted in transmission, once they get to your software, they no longer receive this benefit.
PGP encrypts the CONTENTS of an email and makes it so that you can’t de-crypt it, without having a special code from the Sender.
The crux of the vulnerability is that you can access encrypted emails, simply by turning off the PGP plugin (extension, add-on, whatever) in your email software. This can be exploited remotely with a properly set up email. This isn’t a flaw with the PGP software, but with the email Client that makes use of PGP.
Now people who use PGP do so, because they want privacy. So, behaviour such as this is obviously very bad. PGP isn’t something likely to being of interest to many of the people reading this Newsletter. However, we can use this as a lesson in Security.
Sometimes the simple interaction of two things can cause a vulnerability.
Take this PGP issue as an example.
By itself, there’s nothing wrong with the email Client. It does its’ job fetching, sending and storing emails.
Also, there’s nothing wrong with PGP. It does its’ job by properly encrypting and de-crypting the contents of emails.
Put the two of them together however and suddenly you create a backdoor for anyone to access your archived emails you thought were safely encrypted (unreadable by anyone but you.)
There’s a lesson to be learned here, and it’s a reminder to always try and use the KISS principal. No, I’m not talking about Gene Simmons, Paul Stanley, and company:
K – Keep
I – It
S – Simple,
S – Stupid
It’s always better to make sure things are as simple as possible. What this means is that the less software and less hardware you use, the fewer ways there are for someone to attack you. By reducing the number of tools in your company, you reduce your “Attack Surface” and make it harder for someone to compromise your network.
Actively monitor the hardware on your network, as well as the software that’s installed in your computers. This is more than just a spreadsheet of things you know have been purchased. It means setting up a server or using tools dedicated to this activity.
If you have any questions about Reducing your Attack Surface, you can always reach out to your TRINUS Account Manager for some stress-free IT