Security Tips from Bruce Schneier
Bruce Schneier knows a thing or two about security. The author of multiple books on cryptography, Schneier is widely considered to be an expert on the subject of encryption as well as the broader topic of information security. So we jumped at the opportunity to sit down with him for an in-depth interview at the Black Hat 2012 conference in late July. Here are some of the highlights of what he had to say.
The State of Encryption: “Not that great, and getting worse”
Asked to share his view of the state of encryption in this new age of cloud computing, Schneier says: “It’s not that great, and it’s getting worse.”
Here’s why: “As you move stuff to the cloud you lose control of the data,” Schneier says. “I might encrypt my data on my network but when I send it up on Dropbox, Salesforce, or Google Docs, my encryption policies no longer apply in a lot of cases.”
Furthermore, subscribers to cloud services such as hosted email tend to lose the flexibility of being able to decide what to encrypt and where. “I can’t encrypt my Gmail—and if I did, Google couldn’t give it to me,” Schneier says.
That said, Schneier admits that he generally does not bother to cryptographically sign his own personal email correspondence. Although it is not uncommon for security professionals to digitally sign email with PGP encryption in an effort to verify the authenticity of the sender, Schneier points to the overall insecurity of Internet email as a good reason to view all email as potentially suspect—whether it’s cryptographically signed or not.
“I assume that email is low security and I treat it that way,” Schenier said.
Schneier says he doesn’t worry too much about receiving email from users who are spoofing someone else’s identity. He notes that he receives a lot of email from strangers on a daily basis—and as such, the email sender’s name doesn’t really mean all that much to him anyway.
“There is email-based fraud, but most of it isn’t spoofed,” Schneier said. “Most of [what happens] is that someone hacks your computer, grabs your address book, and sends spam.”
He added that in cases where the user’s email account has been compromised, PGP email encryption would make the attack worse—since the spam would be signed, lending additional credibility to the spam.
DNSSEC: It’s In Your Future
Another key area where cryptography is now starting to play an important role is in the authentication of DNS information. The Domain Name System Security Extensions ( DNSSEC ) technology is all about cryptographically signing DNS information in order to provide a new layer of integrity and authenticity. The call for “DNSSEC Everywhere” was first raised in the summer of 2008, after security researcher Dan Kaminsky revealed that DNS was at risk from attack .
“DNSSEC will be helpful against lots of different attacks,” Schneier says. “There is a lot of work now being done on DNSSEC”—some of which is actually funded by the U.S. Department of Homeland Security (DHS), he adds.
The Best Defense: Backup, AntiVirus, and a Good “Bullshit Detector”
Cryptography and encryption aside, Schneier is more than willing to share a few common-sense recommendations for Internet security. At the top of his list is having a good backup.
“For a lot of people, an attack means they lost their stuff,” Schneier said. “So good backups are essential.”
Beyond that, Schneier suggests that a good anti-virus program is also essential. The other item that he suggests is a healthy dose of skepticism.
“The better bullshit detector you have, the better you’ll do,” Schneier said. “Basic hygiene plus paying attention: That’s really what I recommend.”
Software: “All Equally Mediocre”
Asked to give his opinion on what is the best or the most secure browser, operating system, or antivirus, Schneier says he is an agnostic: “They are all equally mediocre.”
Schneier argues that most people choose their operating system based on non-security concerns such as features, design, and usability. Although he concedes that he uses Windows while his wife uses a Mac, he is quick to add that he considers all operating systems essentially equal from a security standpoint—provided users take basic precautions and follow good security hygiene.
“This is true for most things in the real world,” he says. “We tend not to make decisions based on security, we base them on other things and I think that’s okay on the Internet too.”