Are You Keeping Your Encryption Keys Secure?

June 9, 2015 |
Decorative Image of padlock

Uber, the San Francisco company behind the popular ridesharing app, is one of Silicon Valley’s highest-valued startups. But it’s also no stranger to controversy, having faced regulatory opposition in many of the major urban centers it operates, as well as bad press over its privacy and data security practices.

It’s unfortunate, then, that a couple of months ago, Uber disclosed a data breach in which the personal information of around 50,000 drivers was compromised when a private database was accessed by an unauthorized user.

This represents a pretty slim proportion of the company’s total number of drivers, and as of yet there’s no evidence that the data in question has been leaked, sold or used for malicious purposes. Nonetheless, and despite Uber’s offer of identity fraud protection for the affected individuals, the backlash has not been insignificant.

For example, one driver, according to Reuters, is seeking a class action lawsuit for more than $5 million in damages on the basis that the company “did not do enough to prevent the 2014 breach and waited too long – about five months – to disclose it”.

So how did the incident come about? Well, it wasn’t how you might think – Uber had, in fact, implemented safeguards to protect its drivers’ personal information, including encryption.

Unfortunately, the encryption used by Uber was rendered inadequate because the company failed to keep its cryptographic keys in a secure location.

‘The Online Equivalent of Stashing a House Key Under a Doormat’

This was disclosed in a complaint filed by the company’s lawyers for a John Doe lawsuit intended to identify the intruder, a copy of which was obtained by Ars Technica. The website reports that the key to decrypt the private database was stored in a public place – “the online equivalent of stashing a house key under a doormat”.

This highly sensitive file was uploaded by either an Uber employee or contractor to the web-based source code repository GitHub, and therefore made available for download to any member of the public who stumbled upon it. This is a common mistake, as old as encryption itself, and Uber is neither the first to make it nor the last.

The company, which now wants GitHub to disclose the IP addresses of each person who accessed the code, said in its complaint:

“Uber maintains internal database files with confidential details on the drivers who use its application. The contents of these internal database files are closely guarded by Uber. Accessing them from Uber’s protected computers requires a unique security key that is not intended to be available to anyone other than certain Uber employees, and no one outside of Uber is authorized to access the files.”

What isn’t apparent from this statement is what, if anything, the company was doing to restrict access to the security key itself. As much as strong encryption is capable of stopping hackers in their tracks, compromised cryptographic keys can quickly undo that. They’re prime targets for cybercriminals, and without proper management, they’re also easy ones.

In Uber’s case, it appears that a developer had direct access to the security key and was therefore able, potentially through simple carelessness rather than malicious intent, to distribute it on a public website. The company had applied encryption, and was logging access attempts to its database, but fell short when it came to exercising controls over the location of its keys.

The episode reinforces a simple lesson for anyone who uses encryption, whether for structured or unstructured data: keep your cryptographic keys secure. Uber’s information governance fell short because it failed to enforce the right level of diligence from its developers. For other companies, problems might arise as a result of storing keys on the same server as the encrypted data rather than in a secure vault, failure to protect keys in transit, or poor management of the key lifecycle.

If you’re taking a hands-off approach to your cryptographic keys, there’s a chance you’re setting yourself up for a data breach that you might otherwise have avoided. Ensure that your encryption keys are as secure as the data they are protecting to avoid the legal and reputational damage that comes with a breach.

Read more about Cryptzone’s encryption solutions.

Back to Blog Home

Philip Marshall

As Cryptzone’s Director of Product Marketing, Phil Marshall brings over 14 years of experience in both product and services marketing as well as 10 + years experience in the high-tech publishing space with publications including Dr. Dobb’s Journal and Byte magazine. Prior to joining Cryptzone, Phil worked at security firms Rapid7, Positive Technologies and RSA. He also was a Senior Product Marketing Manager at Black Duck, the leading open source governance and management firm.

A speaker at recent (ISC)2 conferences and ISACA, he’s participated in numerous webinars, in panel discussions and presented on topics including Identity Security, Application Security and Open Source Governance and Management.

Marshall earned a BA at Bates College and an MBA, cum laude, at the F.W. Olin Graduate School of Business at Babson College.

Leave a Reply

Your email address will not be published. Required fields are marked *