Here’s some morning fun for security experts out there.
A few days ago I needed to arrange a payment to Microsoft. The credit card used in transaction wasn’t available the week after transaction, when the company decided to charge it. Not a big deal, I only needed to provide the details of an alternate card. Here is the fragment of an e-mail I’ve got regarding the issue:
“Due to security policy, we strongly recommend you send these details via fax or attached to an e-mail. Please do not type these details in the e-mail body. If you wish, you can provide us with these details via phone.”
So, let’s chew it up. According to the security policy which is actual in Microsoft as of April 11th of 2012, it’s ok to send your complete credit card information as the plain text file, attached to the e-mail message. It’s not ok, however, to put this information directly into the body of that e-mail message. Because that would be insecure.
There was no option to provide the data through SSL-enabled web page, or send using S-MIME encrypted e-mail message, neither I had an option to use company’s PGP key. Using Microsoft Notepad eliminates all the hassle.
Ironies aside, you might wonder why is it recommended to send sensitive (well, not in my case, but usually it is) information in attachment, but not in the body of an e-mail?
The answer lays in “security through obscurity” effect of attachment encoding, which usually takes place. When you are sending attachments, even plain text files, they are encoded, usually using Base64 algorithm, so you would need to decode a few lines of text in order to read the information. There are tons of utilities available for this task - if you are .NET developer, you can do it in one line of code, but if you are not – you can do it online.
So, in my opinion, it’s not by a fraction more secure to send information as an attachment.
The Point
Review your security policy for pearls like Microsoft has. It could be, that you employ the brightest minds in the industry, but still have some derelicts jeopardizing your business process where you least expect it.