Google searches now reveal PGP keys says Sophos engineer

According to David Schwartzberg, senior security engineer with Sophos, even the best cryptographic algorithms are useless when the secret guarding the secret is commonly available.

"Seriously. Drop the ego for a moment and think about the potential flaws in your own best practices. Before going live, did you get the software manufacturer or a security consultant involved to point out any potential pitfalls", he says in his latest security posting.

"For example, where are your keys stored? Wait, let's back up for a second. Did you implement symmetric or asymmetric cryptography?," he adds.

And if symmetric, Schwartzberg asks how are the data encryption keys protected from unauthorised distribution and copying?

If they are asymmetric, how is the master key protected from unauthorised access and distribution? How many people have access to the recovery password and how many pieces is it in?

"Hopefully you feel confident with your responses, but that's not all it takes to keep secrets safe. It's a good start", he notes.

And now it gets interesting, as the Sophos engineer notes Google's mission statement, which he claims is "to organise the world's information and make it universally accessible and useful.”

Yes, he says, they are doing an amazing job.

"For instance, I was generating some PGP keys at this website I found called iGolder", he adds.

iGolder, he asserts, puts up a page to communicate securely with the site, a site member or your friend. All using PGP keys.

"Out of curiosity, I decided to execute a Google web search on "BEGIN PGP PRIVATE KEY BLOCK" which finished with about 29,500 results", he says, adding that, on the first page of results, six out of ten results pointed to a rendered webpage or an ASCII Armor (.asc) file (5 results) with the private key block exposed.

He goes on to say in his latest security posting, he didn't want to assume that 50% of the 29,500 results pointed to ASC files.

Refining the Google search to "BEGIN PGP PRIVATE KEY BLOCK filetype:asc", meanwhile, resulted in 21,300 results.

The problem here, says Schwartzberg, is how many entities implemented PGP and left their private key block to be readable on their public web site?"

The Sophos senior engineer reports that - from a percentages standpoint, slightly more than one half of one per cent (122) of all the ASC keys indexed by Google are private keys, although, he observes, from a data protection standpoint, that's still 122 too many.

Those 122 entities, he explained, went through the process of implementing PGP as their form of encryption to protect their secrets, but the secret to their secrets is public.

"Any of them having a data breach will feel 100% exposed, and ramifications will quickly follow", he says.

The bottom line? Schwarzenberg advises IT professionals to review their organisation's practices for securing data, even if already implemented.

Dropping the ego and not resting on laurels, he says, is always a good first start.

What’s Hot on Infosecurity Magazine?