Schneier on Security
A blog covering security and security technology.
« Hacking the Papal Election |
| Mitigating Identity Theft »
April 14, 2005
Passwords Alone Don't Protect Trade Secrets
A court ruled that simply password-protecting a file isn't enough to make it a trade secret.
To establish that information is a trade secret under the ITSA, two requirements must be met: (1) the plaintiff must show the information was sufficiently secret to give the plaintiff a competitive advantage, and (2) the plaintiff must show that it took affirmative measures to prevent others from acquiring or using the information. Although the court determined in this case that the customer lists met the first requirement, it denied trade secret protection based on the second requirement.
The court held that "[r]estricting access to sensitive information by assigning employees passwords on a need-to-know basis is a step in the right direction." This precaution in and of itself, however was not enough. The court was "troubled by the failure to either require employees to sign confidentiality agreements, advise employees that its records were confidential, or label the information as confidential." There was insufficient evidence in the record to show the employees understood the information to be confidential, thus the trial court's finding that the customer lists were not trade secrets was not against the manifest weight of the evidence.
Posted on April 14, 2005 at 1:05 PM
• 19 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
If something is a trade secret you pretty much need to make sure it stays secret. Since we all know passwords can be broken over time by various attacks, it would hardly seem an adequate form of protection for something that is a cornerstone of survival to any entity.
The title of this post was somewhat misleading. It seemed to imply that as a technical measure, password protection was insufficient to meet legal tests for trade secrecy, but in fact, technical measures were irrelevant to that decision facing the court. The fact that there was a technical measure in place, regardless of how robust and strong it was, paled in sgnificance to the central thrust of the court (as summarized in the referenced post, but not the court's actual words): "There was insufficient evidence in the record to show the employees understood the information to be confidential". That's the key: whether employees understand the value of the material and the importance of safeguarding it.
The issues were process and procedures rather than technical. The referenced post quoted the court as saying it was: "troubled by the failure to either require employees to sign confidentiality agreements, advise employees that its records were confidential, or label the information as confidential." Even the strongest encryption wouldn't satisfy those bureaucratic requirements for trade secrecy.
Trade secrecy is more about *what* you do, and less about *how* you do it.
-- Jack Krupansky
If you read the quote above the court implies that passwords are sufficient technology but that the employees were not suffficiently informed about the confidentiality of the information.
In other words it's the non technical element that was missing. Employees should have been required to sign a confidentiality agreement and either inform employees that certain material is confidential or label it as confidential.
I feel the title perfectly sums up the ruling. They were stating that password protecting a file is not enough. That is exactly what the title tells me.
In a court of law it makes sense to make sure all your policies are well constructed and defined. In the real world full of espionage and spying it is practical to make sure that you can keep your secret secret.
Someone leaving a stack of hundred dollar bills with a note saying "If you take this you go to jail" really won't mean much once the money is spent.
No single precaution alone is proof against all attacks.
This is a fact that Bruce seems to harp endlessly about, without just stating bluntly that no *single* form of protection is protection enough in any situation.
State it bluntly, make it clear enough for the masses to assimilate, and then give them some ideas about multiple layers of security as well as examples of protocols that can be used to maximize one's security in various situations. ...Or at least to convince the bad guys that it's easier to go hack someone else.
But for god's sake, please stop beating that dead horse and start pushing the unwashed masses in the right direction.
Bruce's current approach, that of pointing out one by one what *isn't* secure, is much like giving someone instructions by playing '20 questions' or 'hotter/colder' "No, that's not secure, try again. Nope, still not secure. Try again."
The Papal election article was good, but not too relevant for most daily usages. We can't just throw out our computers in favor of scrutineers...
I think Jack is correct. And I agree with Eric. Let's move along from the whack-a-mole approach and see some recipes for security success.
The title is catchy, but somewhat off the mark.
I suggest that a system that might have satisfied the court could have been as simple as "our company policy, which every employee is required to sign and file quarterly with the HR department, states that the presence of a password for access means that data is to be considered a trade secret. After entering a password, employees also were required to click through a warning page that reminds them they are entering a system with trade secrets." Either one of those could establish the connection between passwords and secret status.
In other words, is it reasonable to assume that the presence of a password MUST be interpreted to mean trade-secrets ahead? You may as well as ask the same question with regard to a locked door -- it's not the lock that screams "warning: trade secrets" it's the big yellow sign on the door.
Bruce, it seems like you are trying to deflate passwords again. We all know how you love to describe them as a particularly weak control and insufficient, but I do not think that is a fair interpretation here. Multi-factor authentication alone would have been no more successful than passwords. The fact is that noone could explain a clear understanding of the classification system and therefore could not be faulted for sharing information.
Isnt this slightly more significant if we look at it from a different angle - from that of an attacker?
In other words, if you in some fashion attack password protected data and gain access to it, you aren't violating the terms of this particular act, unless you have been specifically informed that this data is confidential and not for your eyes.
Of course, this may not be a broad precedent, but rather apply to data of this sort - unlike data that an employee could be expected to see as confidential automatically.
No, nothing has really changed. Attacking a password would be different than using a password you have been given. The case relates to the latter.
It has always been a best practice to include a "banner" on systems requiring authentication specifically to inform users of the liability and/or risks ahead. Not that the banner itself is sufficient, but that there are obvious places to emphasize company policies and procedures to ensure awareness.
Some might mistakenly believe that everyone naturally shares the same values, including a single interpretation of what should/shouldn't be considered confidential or secret.
It would be worse, if not impossible, for the courts to take on burden to interpret and decide on their own what constitutes "trade secrets" for a business.
I don't know all the details of the case, but from here it looks like the business had ample opportunity but failed to prove that their staff should know that customer lists are trade secrets. And, as I explained above, it is unreasonable to expect a basic control (passwords) to be automatically interpreted so broadly, so the courts upheld security best practices.
Here's my suggestion to Bruce and Evan D. Brown for a better log entry title: "Requiring passwords alone does not constitute security awareness"
The more I reflect on this, the more I wonder how the employer could manage to win the first condition (clear case of value and corresponding harm) but lose the second (absolutely no awareness of the value and/or harm). I mean if you can establish the significant value of an asset, then how hard can it be to show that your employees knew the value and the potential harm of taking it and selling it to your competitors?
If we're to take the court decision at face value, sounds like a password does not mean the file or system it protects is worth protecting. A lock on a door yells "it is closed, do not enter unless you have the key". Are we to conclude that password are so inherently insecure that it doesn't matter whether you have one or not?
Bruce' s approach to passwords seems to be "forget, it does nor protect at all" If a judge considers a password is little else than a rubber-stamp measure, passwords will bthe it can be seen like the "top secret" label stamped by a bored bureucrat, something more or less impressive but unable to stop an attacker. Unless, or course, your conscience starts kicking you, in which case you should not be playing spy at all.
As about "taking affirmative measures to prevent others from acquiring or using the information" I don't know American law well (or bad!), but I guess there must be a difference between a open door an one closed with a lock, however weak.
@Torres (and Bruce) - somewhat
Torres wrote "Since we all know passwords can be broken over time by various attacks, it would hardly seem an adequate form of protection for something that is a cornerstone of survival to any entity."
Strictly, this is true. However, there are surely many cases (including the protection of trade secrets) where a suitable password policy is adequate safeguard, given all the practicalities.
With exhausive search at 1,000,000 tries per second, for a truly random password drawn from a 94 character set (printable set on my keyboard, with just shift/no-shift), it would take 193 years to be guaranteed to hit it.
Even for a fixed format of randomly chosen pronouncable nonsense words of 9 characters (xvxxvxxvx, with x=non-vowel(94-10)), certain hit by exhausive search takes 11 years. And this format, of course, make it easier to remember the password.
In practice, such an attack requires access to the file of encrypted passwords (or an equivalent), which can be made suitably difficult (for logon).
If password is the weakest link, there must be better protection against physical access to data (including tamper alarms or instant self destruction on systems/discs, and sniffer-proof LANs, as appropriate).
For most of the concerns expressed against passwords, their being the weakest link is caused or exacerbated by staff (lack of training/motivation, or collusion) or procedures (ineffective, pain in the rear, or both).
Dual systems are very useful. Keep all you best secrets on a system/network that is not connected to the Internet (except perhaps by VPN), and restrict staff access to those who need it. Ensure staff have security training (as well as vetting) appropriate for their role.
So, as Bruce teaches, security is a holistic thing. Branding all password schemes and operational policies as equivalent goes against this.
"With exhausive search at 1,000,000 tries per second, for a truly random password drawn from a 94 character set (printable set on my keyboard, with just shift/no-shift), it would take 193 years to be guaranteed to hit it."
And I forgot to add that the password has 8 characters. Apologies.
With a bot-net, one could throw a few thousand computers at the same problem. Depending on the application, it wouldn't require an authenticating computer at the other end trying to process all these attempts at this speed: Trying to remove the password protection on a file (the original topic of this thread) would allow for completely distributed attacks.
And having the computers automatically recognize the decrypted file can be as easy as looking for common words or letter frequency in the result.
You wrote: "With a bot-net, one could throw a few thousand computers at the same problem."
Yes. But "owner" of said botnet, if logical, must view the target as the most beneficial use of his botnet.
Also, the data owner could increase password length by 2 chars (a pain I know) and require the botnet owner to use a 3..4 orders of magnitude bigger botnet, which might change the cost/benefit for the attacker.
You wrote: "And having the computers automatically recognize the decrypted file can be as easy as looking for common words or letter frequency in the result."
I know, which is why I put, in brackets, "or equivalent" and "for login".
The exhaustive search effort for 8-long charset-94 random passwords is the equivalent of encryption with around a 52 bit key.
If the staff/procedural weaknesses with passwords are overcome, this is worthy protection -- for something worth protecting with a 52-bit key.
An analogy: typically in my town, house contents are protected by wooden doors, above average key types, and burglar alarms. The windows are made of glass. The doors are mostly not steel reinforced, there are usually no security guards. The residents (and their insurance companies and the police) view this as proportionate for the typical house, given the value of its stealable contents.
If your data asset is worth more protection, than the 52-bit equivalent password (or whatever), by all means use it. However, just because Fort Knox needs better security than the average private house, do not argue the equivalent of locked doors and burglar alarms having no useful effect under any circumstances.
A lot of you seem to be getting away from the point. The password was not considered to be inadequate by the courts. The problem the courts saw was that the employees did not know what was confidential information. We are not talking about an external attacker here but instead by an ex-employee sharing "trade secrets" with a competitor.
The court ruled that password protecting the customer lists did not constitute sufficient notice to the employees that they were confidential.
The company should have had all employees sign a confidentiality agreement. They should have marked the customer lists as confidential information in some way (Would a login banner be enough? I think it would, but what do I know).
Expanding on what zwack said, it's quite easy for employees to not know something's a trade secret - it's just something they use every day and log onto every morning to update. For all they know it's a convenience or even public information, and the employer's site is just where it comes in. The cogs don't see the whole clock even if they turn part of it, unless they're told what's on the other side.
In much the same way government employees working in a secured network put modems in their machines - they simply didn't realize why they had to be offline, they just knew they were and it interfered with their productivity, because no one explained how important it was.
Right, I totally agree with what you are saying. I was just wondering why a lawyer for the company would argue that a password was sufficient notice, when they could have instead the confidential nature of the data was common knowledge due to documented meetings, specific discussions, open warnings from management, etc., which I guess takes us back to the point of Bruce's title...don't think a password is the same as data classification.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.