How Would You Prefer To Send Sensitive Data?

sprkltgr writes "Our HR department is implementing new software. The HR Director has tasked me with sending our data out of our network to the consultant that's loading it in to the new package. Obviously this data includes items such as SSN, name, birth date, etc. Upon being told that I would not email this data to her, the consultant asked what my security requirements were for sending the data. What would be on your wishlist for the best way to send sensitive data to someone outside your firewall?"

PGP

[Foldarn]

PGP without pause

Re:PGP

[Foldarn]

If it's data to be processed and used with a database or something similar, then I'd suggest either SFTP or set up a site-to-site VPN between your 2 offices and either provide them with instructions for FTPing it off of your server or the other way around. A simple link would work as well: ftp://10.10.10.10/yourfile.csv that way it's almost dummy proof.

Re:PGP

[Foldarn]

Correction:  ftp://user:password@10.10.10.10/yourfile.csv is the proper example link.

Re:PGP

[Dputiger]

I advise not being so paranoid. If you have proper security measures in place, and the other company does as well, the chance of either one of you being breached is absolutely minuscule. If you don't have such standards in place, you might investigate at least securing the PC the consultant will be using at his off-site location.

Re:PGP

[Foldarn]

Not being paranoid? He has to transfer the files containing sensitive information and that requires it not be intercepted by anybody but the intended recipient. In the financial sector, medical sector, any sector that deals with peoples' personal information or finances, security is the TOP priority. Assuring both your boss, you customers, and the federal government that you're in compliance is of the utmost importance. One slip and your company's credibility is gone. You know what they say, "Fool me once, shame on you. Fool me twice, shame on me."

Re:PGP

PGP or GPG would be the best method, period. All the banks use it to transfer sensitive data. You have your key they have theirs, use stronge keys and that's it.

There is another option, which is you could take the data, base64 encode it, then encrypt that with something like aes-256-cbc or similar using openssl.

Re:PGP

[Dputiger]

Oh, I agree with being secure, and I agree with taking the situation seriously. When I refer to security practices, I'm not talking about installing and updating Norton Antivirus as a be-all / end-all measure. The fact is, if his company *does* deal with this kind of data, it needs practices--regular, daily practices--that can secure such information.

Re:PGP

[Swampash]

If this is for a work task (and in the parent article it obviously is) I would only ever send sensitive data via PGP-encrypted and -signed email, or more specifically via PGP-encrypted and -signed attachment to an email.

Via encrypted signed email there's a paper trail. "The data you have is verifiably the data that I intended for you to receive, and the sensitive data haven't been mangled or modified (the hashes match), it is verifiably from me (that's my signature), and I have demonstrably met your request by sending you the information on this day at this time (email headers, server logs, whatever).

If it's important and it's for work purposes, COVER ASS AT ALL TIMES.

Re:PGP

[Lobster+Quadrille]

FTP is still plaintext. I wouldnt' trust people within my own company either with that stuff. I'd use SFTP as you said, or pgp.

Re:PGP

[nine-times]

I think he was saying FTP over VPN.

Re:PGP

[Metzli]

I would agree with PGP, once the proper legalities and assurances are in place. However, I'd worry about the non-technical issues before working on a technical solution.

There are a number of issues to be resolved before worrying about how to get the data transferred. Has the consultant and/or their firm verified their security and controls to your firm's satisfaction with something like a SAS 70? Are there legal agreements in place concerning the proper controls of this data, the explanations or responsibilities in case of a disclosure, etc.? Has the idea been proposed to create bogus data for testing so that live data isn't used? Can the application be loaded on-site, so that a machine outside of your firm's control will not contain highly-sensitive employee data?

I'd ask a lot of questions like these and get answers to my satisfaction before I sent out any data. I would greatly prefer to have to explain to my management why I'm "holding up the train" than have to explain to my coworkers why I was involved in the disclosure of their personal information and mine.

Re:PGP

[The+MAZZTer]

If you need to get on a VPN to access the FTP server you're already authenticated. There's no point in authenticating twice (unless you want different levels of access, or the FTP server is also accessible from other networks).

Re:PGP

[beav007]

PGP or GPG I've been hearing good things about ROT-13. Which one of these uses ROT-13?

Re:PGP

[shri]

I disagree. While PGP can transport the data securely, once decrypted, it will be rendered as insecure as the consultant's weakest point of security. If the data were truly sensitive, I'd send an anonymous set to the consultant, have them prepare a set of scripts / routines / procedures to import and then bring them onsite to complete the task.

Re:PGP

[Hojima]

What would be on your wishlist for the best way to send sensitive data to someone outside your firewall?" 1)Titanium alloy capsule with message 2)rail gun 3)???? 4)Message delivered (and/or profit)

Re:PGP

[enoz]

GP had tried to make it dummy proof, I guess from your reply they failed in this instance.

Re:PGP

[bennomatic]

I prefer ROT-26; less chance for data loss.

Re:PGP

[BrokenHalo]

All well and good, but none of these help if some determined individual intercepts the traffic and has the resources to brute-force the encryption. I guess the likelihood of this depends on the value of the data.

Perhaps an old-world solution might be appropriate: simply burning the data as an encrypted archive on to physical media and sending that by recorded delivery mail or some other trusted courier.

Re:PGP

[Foldarn]

Yes, it's already authenticated, but most email systems will not route email over that VPN. It will route it to the publicly accessible IP.

Re:PGP

I'm surprised no one has mentioned hushmail.
Encrypted end to end easily and automatically using pgp between two hushmail accounts. Web based email so you can use it from anywhere. Free accounts.

Re:PGP

[Foldarn]

Yes, I did attempt to. hehe... the point I failed to clarify was that if you provide that person on the other side with the technical details, it won't matter. If their IT and your IT has already done a spiffy enough job, that person won't have to even know what a VPN is. Just tell them: "Here, click this and get your file."

Re:PGP

[SpectralDesign]

I don't know, but I heard that if you double-ROT-13 even the NSA can't break the cipher.

Re:PGP

Sterling Commerce FTW!!

Re:PGP

[ResidntGeek]

has the resources to brute-force the encryption

If you're using PGP, such resources simply don't exist.

Re:PGP

[Foldarn]

At my place of business, we use WatchGuard firewalls. They do the job pretty well and they have a software package that the other firewall manufacturers also have. They call it Mobile VPN. Cisco calls it simple a VPN client. SonicWall has an adaptation that gets installed via an ActiveX control on a web browser. They all serve the same function... a VPN requires 2 sides of the tunnel to initiate. Each side has to know the others' IP address so they each can initiate with the proper authority. These VPN packages allow that second half of the tunnel to be on a static IP to have an encrypted VPN tunnel up and running in now time allowing very secure transmissions that pass any security screening. This would include initiating an unencrypted FTP transfer provided it GOES OVER the VPN tunnel. That's why in the post below, I specified 10.10.10.10 as an example. The 10.* IP addresses are restricted to private, internal addresses if I remember right (and I could be wrong). Either way, some form of VPN is suggested if you intend on transmitting data frequently to the same person.

Re:PGP

[Anne_Nonymous]

Alternately, you could quantum encrypt the data, send the key by smoke signal, and nuke the entire site from orbit. It's the only way to be sure.

Re:PGP

FTPS or SFTP or better yet zip files with high quality passwords are actually quite secure.

Re:PGP

[cayenne8]

"Yes, it's already authenticated, but most email systems will not route email over that VPN. It will route it to the publicly accessible IP."

That and email just is not a good way to send lots of data, it just isn't designed for it.

I'm more in favor of setting up a VPN....and using scp across it.

That will work better for what I guess has to be a good bit of bulk of data...and should be quite secure enough.

Re:PGP

[Swampash]

> > I would only ever send sensitive data via PGP-encrypted and -signed email, or more specifically via PGP-encrypted and -signed attachment to an email

> none of these help if some determined individual intercepts the traffic and has the resources to brute-force the encryption

Um... yeah, right. Do you know of any individual, group, company, government, species, or universe with such resources?

Re:PGP

[TheNucleon]

ROT-13 has been broken. You need to use Triple ROT-13 (3ROT13).

Re:PGP

[SanityInAnarchy]

VPN access is per-machine. FTP access is per-user. Making it accessible to anyone on the VPN is equivalent to chmod'ing 777.

It's amazing how many people make this mistake. NEVER implement an unauthenticated protocol, unless you can completely guard access to it -- and by that, I mean use it over pipelines, UNIX sockets, or in wrappers that include authentication.

Oh, and FTP sucks. I can't think of a good reason to use it at all, ever. Use Samba if it's convenient, otherwise things like scp/sftp, rsync, or actual database replication.

Re:PGP

[omeomi]

Well, what if they intercepted the information, and then waited for 100 years or so, and brute-forced it with their cybernetic implant...

Re:PGP

[Eskarel]

Well e-mail isn't really a practical solution for a large volume data set, which presumably it is or there wouldn't be much point. So while PGP e-mail is quite a wonderful technique, it won't help much.

You've also got to remember that you only have control over the security of the data during transit. It's all you're legally responsible for and it's all you have any sort of effective control over. So you're really looking for the best solution based on the transmission type you choose. For anyone who wants to put all sorts of extra security on it remember the thing problem with copy protection you can't secure something and give people the access to view it at the same time, so if the recipient doesn't secure it properly in their system, no amount of PGP is going to help anyone.

If the data set is fairly small, then encrypted e-mail might be a valid solution. If it's small to middling in size or you need to do frequent transfers SFTP or FTPS would be viable(presuming you're not using keys generated in the last two years on a debian box).

The simplest solution would be to encrypt the data, put it on a CD/DVD/Portable HD, and send it by courier or deliver it yourself(ideally in a sealed envelope). You get a signature to verify you sent it, you get a signature to verify who picked it up, you've got proof it wasn't tampered with and if someone steals it along the way it's not worth anything.

If it were me I'd also ensure that your contract with the recipient includes liability for any security breaches within their system including appropriate financial penalties. Any of those solutions will ensure it gets to the recipient without someone else stealing it and that's all you can do.

Re:PGP

[cheater512]

Not even the NSA has the resources for that.

Re:PGP

[cheater512]

Ditch the passwords and use SSH keys.
Then only the person who is allowed to see it can.

Re:PGP

[despe666]

Not even the NSA has the resources for that. And you know that because? I wouldn't underestimate the NSA.

Re:PGP

I'd prefer sensitive data be converted into freckle colored microdots that are then glued with saliva dissolving quick glue to the areola of an 18 year old maiden.

Thank you for asking.

Re:PGP

[play_in_traffic]

Um... yeah, right. Do you know of any individual, group, company, government, species, or universe with such resources? Any jealous girlfriend!

Re:PGP

[Kyro]

Unless you installed the gnupg package from debian...

Re:PGP

[andy.ruddock]

From DSA-1571-1 :
Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though.

Re:PGP

[amRadioHed]

And even if they did, they already have access to your SSN and credit information.

Re:PGP

[diskis]

They may very well have the resources to break a message or two. But is this message important enough to spend a decade of processing power on? No reason to be paranoid, usually people aren't important enough for their messages to be interesting. And SSNs? Like NSA couldn't get them from anyplace else.

Re:PGP

[myfootsmells]

I've been hearing good things about ROT-13. Which one of these uses ROT-13? To be perfectly honest, I really prefer ROT-26. If you've heard good things about ROT-13, imagine what doubling the encryption would do!

Re:PGP

[pboulang]

VPN *AND* scp? weirdo.

Re:PGP

[Eivind]

The likelihood that "someone" will brute-force the encryption is zero -- or close enough to make no difference. All the worlds banks are protected by the same encryption. If your data is REALLY more valuable than complete access to EVERY account in EVERY bank that has online banking, then you don't "ask slashdot" what to do about securing the data anyways.

Re:PGP

[profplump]

I wouldn't overestimate them either. The amount of time required to execute and exhaustive search is well-defined, and for mid-sized PGP keys is infeasible even assuming the NSA has access to hardware 10^1000 times faster than the rest of us (which seems unlikely all by itself).

Now, it's possible that the NSA is aware of some weakness in the public-key system itself, and therefore does not need to undertake an exhaustive key search, but that isn't the scenario laid out above.

Re:PGP

[DMUTPeregrine]

Yes, but you need to use Encrypt, Decrypt, Encrypt, This is important because if done in EEE mode the initial permutation before the second E will reverse the final permutation after the first E. Err. wait, that's 3DES.

Re:PGP

[Radak]

What are you smoking? ROT13 was cracked years ago. These days, Double ROT13 is a much better choice.

Re:PGP

Maybe you should have paused there.

Re:PGP

[Antique+Geekmeister]

The unencrypted FTP traffic on the far side of the VPN connection can be sniffed. Passwords should never, never, never be sent in the clear, even over a local network, because people are awful about change passwords and will use the same one in multiple locations. And if the VPN is between two networks, rather than between your machine and a remote network, the FTP traffic an be sniffed inside your own network.

It only takes one compromised laptop in most networks to engage in quite a bit of useful packet sniffing of exactly this kind of traffic. Unless that VPN is between your desktopo and the VPN server itself, it's hazardous.

Re:PGP

[user24]

rot13 is useless these days. You need double-rot13.

Re:PGP

[Antique+Geekmeister]

I hope your scp setup has chroot cages set up, because otherwise, your clients can go poking around the rest of your SCP server and potentially do all sorts of damage. Keeping them from overfilling /tmp and /var/tmp on the server is difficult enough. Keeping them out of /etc/passwd to find account names is even more awkard: a secured SCP server is fairly awkward. I've been seeing a few recommendations to instead use WebDAV over HTTPS. There are plenty of Java based clients, chroot cages are built in, and Windows has direct access to it over a browser for download, and using hte 'Network Connections' for upload. I also understand that is supports SSL keys quite well, for public/private key access.

Re:PGP

[Simon+Brooke]

Correction: ftp://10.10.10.10/yourfile.csv is the proper example link.

You do not want to use FTP at all. FTP is a very insecure protocol. If the data is very confidential, then you need to secure it against

• An attacker pretending to be the designated recipient
• An attacker capturing the stream in flight
  • Where that attacker is within your network
  • Where that attacker is within the recipient's network
  • Where that attacker is between your network and the recipients

Remember no encryption is so good that it can't be cracked, given sufficient compute power and sufficient time, and that the profits from identity fraud are now sufficient to make it worth criminal gangs while to put significant resource into cracking encryption.

So to send this data, in my opinion, you need to split it into chunks which are in themselves of low value (i.e. first file, names and employee numbers; in the second file, social security numbers and employee numbers; in the third file, addresses and employee numbers; in the fourth file, ages and social security numbers; and so on); encrypt these chunks using different encryption keys, so that decrypting one will not provide the key to encrypting the next; and send them over a secure channel.

The UK Government has had a series of scandals recently where couriered media (CD-ROM disks) with valuable personal information has gone missing, so couriering this is not a good plan. Criminal gangs are apparently now willing to pay about US$50 per person for identity details like these, so in terms of value for unit mass, a CD with these details is worth much more than diamonds.

Re:PGP

[Simon+Brooke]

has the resources to brute-force the encryption

If you're using PGP, such resources simply don't exist.

You are being awfully naive here. Personal details are worth about US$50 each to identity fraud gangs. 10,000 personal details times US$50 is half a million bucks, and that buys a lot of supercomputer time. Any encryption can be brute forced given enough brute force.

Re:PGP

[Simon+Brooke]

VPN *AND* scp? weirdo.

Not in the least. What guarantee do you have that there isn't an attacker already in your network, or the recipients network? Split into small chunks first. Encrypt with separate keys, then SCP over VPN.

Re:PGP

hay guyz use rot 26 lol

man im so clever to post that first

Re:PGP

[Simon+Brooke]

> > I would only ever send sensitive data via PGP-encrypted and -signed email, or more specifically via PGP-encrypted and -signed attachment to an email > none of these help if some determined individual intercepts the traffic and has the resources to brute-force the encryption Um... yeah, right. Do you know of any individual, group, company, government, species, or universe with such resources?

Yes. The Russian mafia. They have much more than sufficient resource - not merely access to supercomputers, but also access to large botnets of other people's PCs. Cracking encryption is a task well suited to distributed computing.

Yes, these people can and routinely do crack military grade encryption, if the data is valuable enough. This data is valuable enough.

Re:PGP

[Simon+Brooke]

They may very well have the resources to break a message or two. But is this message important enough to spend a decade of processing power on? No reason to be paranoid, usually people aren't important enough for their messages to be interesting. And SSNs? Like NSA couldn't get them from anyplace else.

You aren't thinking.

Multiply the number of employees in the company by US$50, and that's what this data stream is worth to an identity fraudster. If the identity fraudster also controls a botnet, a decade of processing power not only costs nothing but also can be supplied in a week of wall-clock time.

No, usually encrypted messages aren't worth cracking, because individually they're mostly not worth a lot of money. But this datastream is worth a very large amount of money. If the attacker knows what it is, it's definitely worth cracking.

Re:PGP

[|DeN|niS]

You are being awfully naive here. Personal details are worth about US$50 each to identity fraud gangs. 10,000 personal details times US$50 is half a million bucks, and that buys a lot of supercomputer time. Any encryption can be brute forced given enough brute force.

You keep saying that. Maybe you want to run the numbers sometime? Something like all the computing power in the world in constant use for X thousand years? Barring a fundamental flaw in the algorithm, or a botchy implementation (say generating your keys on Debian) there is no way this is brute forcable in anyones lifetime. It's just math. It's your random claim the russian maffia can break any encryption, versus math. I know whose side I am on.

Half a million bucks buys you a 56 bit DES message in under 24 hours. Note that an extra bit does not double the effort, it squares it. Do the math.

Re:PGP

[pincho23]

You should rot-13 twice. Twice the security.

So when do I get my membership card for the 'don't read, just post' club?

Re:PGP

I'd agree with this as far as it goes but I'd go a little further. The data sent shouldn't be anonymised real data but specifically designed/crafted data to cover every case the software needs to deal with, along with an agreed process for validating the handling of that data by the new software in the process definitions. Current real data my not include every possible case and may leave problems to be stumbled upon later.

Re:PGP

[smallfries]

You shouldn't assume that VPN access is per-machine. Our network for example authenticates each user on the VPN *and* ensures that the machine is registered. I don't think that is uncommon.

Re:PGP

[Bert64]

More worrying is that someone willing to commit the crime of identity fraud isn't likely to think twice about breaking into large numbers of computers systems, scouring them for information and then turning them into compute nodes for cracking encryption. Thousands of compromised machines working together would make a fairly effective cluster.

Re:PGP

[MoogMan]

I think the problem is on a higher level - why do you need to send these details outside of your trusted zone?

Would it not make more sense to have the "new package" installed into your network, and have the data migrated in place?

Bear in mind... SSNs are used presumably in use for 80+ years, so whatever encryption you use *should* be uncrackable in this period.

And then, of course, you have to be sure that the consultant stores this data in a secure way - or are they going to decrypt the package and store it on his/her laptop in unencrypted form?

Transfer is only one part - you need to consider end-to-end encryption to ensure correct security.

Re:PGP

[lhunath]

http://wooledge.org:8000/FtpMustDie

Re:PGP

[eric76]

Yes. The Russian mafia. They have much more than sufficient resource - not merely access to supercomputers, but also access to large botnets of other people's PCs. Cracking encryption is a task well suited to distributed computing.

Yes, these people can and routinely do crack military grade encryption, if the data is valuable enough. This data is valuable enough.

Would you perhaps have some real information to support those claims?

If they are cracking military grade encryption, which I very seriously doubt, then they are likely doing so by buying the keys from someone, not by brute forcing it.

Re:PGP

[silanea]

Quite a lot of stuff is worth cracking. That does not have any influence on what can be cracked. Computing resources available today are enormous, but they are still finite. And to the best of my understanding they will be quite finite enough to ensure our privacy for the next couple of decades. But since you so vehemently say otherwise, you surely posess reliable and verifiable information to the contrary that you could share with us here to enlighten us?

Re:PGP

[Zironic]

I doubt that they'd make that an effective cluster also the complexity of RSA encryption is just silly.

For example breaking a 663 bit RSA number took 75 years of 2.2ghz computer time.

http://en.wikipedia.org/wiki/Integer_factorization

Re:PGP

[xalorous]

So it would take 2000 computers to do this in about 2 weeks?

Re:PGP

[WuphonsReach]

Yes. The Russian mafia. They have much more than sufficient resource - not merely access to supercomputers, but also access to large botnets of other people's PCs. Cracking encryption is a task well suited to distributed computing.

Yes, these people can and routinely do crack military grade encryption, if the data is valuable enough. This data is valuable enough.

Highly unlikely.

What they (the attackers) are probably doing is either:

1) Man in the Middle (MITM) attack where the source/destination players (Alice & BoB) don't properly authenticate their encryption keys. Which lets them read all of the traffic by pretending to be the other end of the stream to each player.

2) Attacking the weak point of any encryption system - key management. Either by keylogging to obtain the passphrase, or other rootkit / cracking work to steal the private keys. Which then allows them to decrypt the messages. Getting key management correct is HARD (the devil is in the details).

3) Suborning either Alice or Bob (i.e. bribery or social engineering). Or simply via the lead lined rubber hose attack.

There's an awful lot of very very smart people out there who are looking at the current algorithms in use (AES, RSA, etc). If there were known weaknesses in the algorithms, we would have heard about them. Something that is encrypted with today's 256bit symmetric encryption algorithms is extremely secure for the foreseeable future (40+ years?). At least, as long as the encryption key is not leaked through some other fashion.

Re:PGP

[xalorous]

Use strong encryption.
Burn to physical media.
Send via bonded courier.
Send password via encrypted email, or via registered mail.

If you need frequent access from both ends, set up extranet with encrypted vpn with reasonable security on both ends. The data at rest should be encrypted with strong encryption and the password should change frequently ( 90 days). Access to the password and to the storage folder should be restricted.

Yeah, all you alarmists worried about 'one compromised computer' are right, but that threat exists no matter how you connect to transfer the data. The VPN doesn't answer this threat, it answers the threat of capture of data in transit.

Re:PGP

[drinkypoo]

Really, what's wrong with just using IPSEC and ftp? ftp is canned crap by itself because of the stupid networking requirements (if you're already using TCP, there's no reason WHATSOEVER to open two connections, much less to do it how ftp does) and generally impossible to secure through rational means but is fine through VPN.

Of course, you have to make sure that your switch isn't vulnerable to a poisoning attack that will let a local attacker sniff that password, unless you do direct host to host ipsec, which is my recommendation anyway. Then the whole thing is pretty secure. ipsec is relatively easy to set up on windows with preshared keys (I never did get certs to work between HPUX and Windows which is where I tried it, but if I'd had a Windows 2003 domain server it supposedly would have been easy) and plenty easy to set up on most Unices.

Alternatively, just put a simple password on the thing, USPS the password to the guy via some kind of registered mail, and then courier the data, and do it physically. This is much more secure, provided your carrier is competent. (Read: NOT UPS, who not long ago delivered eight pounds of court documents to me at 9850 on one street, while it was addressed to 9580 on another street.

Re:PGP

[freeat12five]

The real question is whether the 'tard on the other end will offer your personal data even a fraction of the privacy protection that is being suggested by the talented readership. I am guessing it will go in an Excel spreadsheet and get copied to every unprotected file share with a public IP address on this planet. Twofish, Blowfish?...either way you're boned...

Re:PGP

[grommit]

Now you're the one that isn't thinking. Assuming the OP doesn't use an insanely short bit length, it would take EVERY SINGLE COMPUTER ON THE PLANET working together at least a decade to brute force it.

The math is simple, the amount of computing power to brute force PGP just doesn't exist on this planet yet. Maybe in a decade or two but then all we'd have to do is increase the bit length that PGP uses.

Re:PGP

[ezzzD55J]

Any encryption can be brute forced given enough brute force.

No.

Re:PGP

[ezzzD55J]

Note that an extra bit does not double the effort, it squares it. Do the math.

What?

An extra bit does double the keyspace.

Re:PGP

I've been hearing good things about ROT-13. Which one of these uses ROT-13? Microsoft and Debian both have packages that use ROT-26 (twice as good), you may want to look into them.

Re:PGP

[MrNemesis]

Ever since my patch went through, the Debian GPG uses either double or quadruple ROT13

I kid, I kid ;)

Re:PGP

[DaveHowe]

PGP is a good choice for either email or file encryption (done right, s/mime isn't terrible for the former either) provided the recipient can support it.

if this is just a oneshot deal, its probably easier to provide them with a password protected archive and give them the password verbally (over the phone) - good choices here are anything that uses 256 bit aes or the equivalent, so rar, winzip and 7z (which is opensource/free) are good choices.

Re:PGP

[Chris+Mattern]

Yes.

However, it is practical to have a large enough keyspace that "enough brute force" cannot be realistically achieved, even assuming machines millions of times faster than the fastest currently available.

Re:PGP

[0xFCE2]

Yes. The Russian mafia. They have much more than sufficient resource - not merely access to supercomputers, but also access to large botnets of other people's PCs. Cracking encryption is a task well suited to distributed computing.

Yes, these people can and routinely do crack military grade encryption, if the data is valuable enough. This data is valuable enough.

"military grade" is a pretty useless term here - the military uses all kind of encryption, from weak to very secure. But when talking about encryption suitable for "secret" stuff (i.e. classified secret), then you can be pretty sure the NSA is not going to allow any form of encryption which is known (to the NSA) to be breakable. Not breakable by any other (foreign) government agency with a multi-billion-dollar budget, and certainly not by the Russian mafia. And as a reminder, AES is a valid algorithm be used to protect secret communications and available to pretty much everyone.
To get your data, they would try to get the encryption keys by hacking the computer or by physically breaking into your house and office. They might even sneak backdoors in the software you are using and weaken the encryption artificially. But they will not bother with the encryption itself, unless you've been using weak encryption from the start.

Re:PGP

[|DeN|niS]

Ugh, yes, sorry.

What I meant is that every extra bit doubles the effort, i.e. going from 128 to 256 bits is not doubling the effort, it is squaring it.

Re:PGP

You keep saying that. Maybe you want to run the numbers sometime? Something like all the computing power in the world in constant use for X thousand years?

But, but, but SUPERcomputers! I have no concept of security algorithms, but surely a CRAY can crack anything, right!?!?!?

Re:PGP

PGP is good.

PGP on physical media sent by FedEx is better.

PGP over a directly dialed modem or a non-Internet dedicated line would not be bad.

Of course, the overarching theme here is to keep it off of the Internet. Otherwise, you could use a VPN. Personally, I think the physical media approach is the best choice.

Re:PGP

[hesaigo999ca]

pause......yeah PGP for sure

Re:PGP

[hesaigo999ca]

They broke the SHA1 encryption recently,
however PGP's smallest keys start at 128bit encryption

Re:PGP

[Swampash]

SHA-1 is encryption now? Wow, blink and you miss something on the Intertubes...

Re:PGP

[blueg3]

"Remember no encryption is so good that it can't be cracked, given sufficient compute power and sufficient time, and that the profits from identity fraud are now sufficient to make it worth criminal gangs while to put significant resource into cracking encryption."

No practical encryption, that is. One-time pads are uncrackable. However, your statement is misleading -- for many types of encryption, "sufficient time" is longer than multiple human lifespans, even with access to a large amount of computing power. It's generally the non-encryption parts of a security system that fail.

Re:PGP

[@madeus]

I think the point is that SCP/SFTP on it's own (or an HTTPS resource with authentication, for that matter) is sufficient in all cases most /.'ers will ever encounter.

With iptables (or a separate firewall) to block connections from hosts even connecting from non allowed IP blocks, that's a fairly robust solution. A VPN on top of that is of little real value.

Of course this assumes the database dump on the server is encrypted (e.g. with GPG).

This is not least in case people are tempted to leave it around unencrypted in directories on the server / on a laptop, as while it can't prevent people from doing that it can positively reenforce the idea they shouldn't be doing that (and so encourage appropriate behavior) - as well as protecting the data from exposure by application vulnerabilities on the server.

Re:PGP

Technically, it's not _worth_ cracking if the gain from cracking is finite but the cost of cracking is infinite (because it's impossible). ;-p

Re:PGP

[Foldarn]

You're dense. I specified over a VPN tunnel. At work ours our encrypted with SHA1 and 3DES between both ends of the tunnel. Once you've got a VPN, you can push data in plain text and it's secure. There is little way around an inside intruder. If you've got to worry about that, then you've already got bigger issues at hand.

Re:PGP

[@madeus]

Remember no encryption is so good that it can't be cracked, given sufficient compute power and sufficient time, and that the profits from identity fraud are now sufficient to make it worth criminal gangs while to put significant resource into cracking encryption. "Criminal gangs" are not going around cracking 2048 bit RSA or 256 bit AES encryption, not even the ones led by villains that live in hollowed out volcanoes or in orbiting moon bases.

Certainly FTP is not appropriate (there is no reason not to use SFTP/SCP/HTTPS) and depending on the level of security required a VPN layer may also be appropriate, but splitting the data into chunks with separate keys is of little value (and silly, frankly).

It's liable to cause more maintenance issues (and quite possibly result in corruption if their is an error in the joining operation - which could be VERY problematic), take longer for both parties to implement and if you are writing a script to re-integrate the data (e.g. in the case of a routine operation) the keys and pass phrases are going to be all in the same place anyway. And of course, the data will all be joined together unencrypted at the other end in any case.

The weak points you to worry about are not movie villains cracking VPN, SSL and GPG encryption - but rather something more like a dolt leaving the unencrypted data on a laptop then leaving the laptop in a minicab.

Encrypting the data, encrypting the transfer and authenticating the user (which may or may not also including confirming their source IP as part of the authentication check) is sufficient. You don't need to also split the data up and hide it all over the place like it's something from a Dan Brown novel.

Re:PGP

Well that means
56 bits <= 1 day
57 bits <= 1^2 days = 1 day ...
56+n bits <= 1 ^ ( 2 ^ n) = 1 day!

Man, I just invented a time machine!

Re:PGP

[Foldarn]

You're close, OxFCE2. Secret and Top Secret data do not go out over the standard internet. There are 2 other completely seperate networks that I know of. They don't connect to the Internet in any way, shape, or form. They work exactly LIKE the internet, but completely seperate from it.

Re:PGP

[ewanm89]

Oh, well I would PGP encrypt the file, then use scp over a VPN link. The details to other party will be in a PGP encrypted and signed mail.

Re:PGP

[ewanm89]

FTP means that anyone else on those two networks would also have access!!!

Re:PGP

Well, PGP + a binding contract with penalties for data leakage. PGP ensures that the data is safe from you to the recipient. The legal contract ensures there are penalties for the other entity if they were to lose or leak the data (as it is out of your control at that point).

One further step that can be taken is to put canaries in your data -- unique and fake entries that are hidden in the data to tag the data. If leaked data is found out in the wild, you can track back to that specific project based on these tags.

Re:PGP

[retupmoca]

saliva dissolving quick glue What possible use could anyone have for glue that dissolves saliva?

Re:PGP

[Aram+Fingal]

For the most part, actually cracking cryptography is not worth it, especially so in the case of PGP and GPG. It's usually much easier to use some kind of chosen text attack because people seldom use the strongest possible passwords. Other options include things like keyloggers to capture the password or social engineering.

Re:PGP

[magisterx]

It depends on the amount of data to be transferred. I would agree with the parent post either PGP or GPG (a GNU implementation of PGP which is open source and can be made compatible with the right settings) is ideal for a moderately sized chunk of data which does not need to be correct up to the second.

If the amount of data is excessively large or needs to be extremely current then a VPN is a good option.

If you want to get more esoteric, you can set up replication between your database and hers (with or without the benefit of a VPN) and if you want to be paranoid many databases including MS SQL Server 2005/2008 now include native encryption within the database core.

Re:PGP

[Garganus]

"thousands of compromised machines working together would make a fairly effective cluster."

Except that the notion of brute forcing a 128 bit key is ludicrous. A powerful cluster? Yes. An effective cluster? No.

We could all go into great depth on why big keys can make archives genuinely uncrackable, but I'll just rub some wikipedia on it:

"The amount of time required to break a 128 bit key is also daunting. Each of the 2^{128} possibilities must be checked. This is an enormous number, 340,282,366,920,938,463,463,374,607,431,768,211,456 in decimal. A device that could check a billion billion keys (10^{18}) per second would still require about 10^{13} years to exhaust the key space. This is longer than the age of the universe, which is about 13,000,000,000 (1.3 *10^{10}) years.

AES permits the use of 256 bit keys. Breaking a 256 bit key by brute force requires 2^{128} time more computational power than a 128 bit key. A device that could check a billion billion (10^{18}) AES keys per second would require about 3 *10^{51} years to exhaust the 256 bit key space.

Hence, 128 bit keys are impractical to attack by brute force methods using current technology and resources, and 256 bit keys are not likely to be broken by brute force methods using any obvious future technology

Re:PGP

[Foldarn]

If they've got access to the appropriate permissions and the knowledge of packet sniffing on the network and know what they're watching for and know the 2 endpoint IPs to watch for the traffic, sure.

Re:PGP

[hesaigo999ca]

call it more like the poor man's encryption!

Re:PGP

[aarner]

An approach that's worked amazingly well for me in the past is MQ over VPN. Addmittedly IBM's MQ is a bit (OK, incredibly) heavyweight, but wrapping it in JMS or using Geronimo or one of the F/OSS lighter-weight message queueing products would work just as well. MQ-ish products just have tremendous advantages over FTP/Http. Not the least of which is you are setting up dedicated point-to-point "channel" if you will - almost akin to older circuit-switched networks. It's an easy sell to the suits on this approach as if offers more layers of a defense in depth strategy. MQ (and it's ilk) also offer you guaranteed delivery which can greatly simplify transaction processing if this isn't a batch thing.

Re:PGP

[ezzzD55J]

It's not a matter of realistic, but a matter of physics that there's a finite number of computations that can be done in the remaining lifetime of the universe, and it's easy to make a key large enough the keyspace can't be searched in it. If you're saying that 'enough brute force' doesn't have to fit in the space and time we have in this universe, then fine.

Re:PGP

[K'tohg]

Assuming PGP and/or GnuPG is capable to producing and managing good encrypted data using the most popular algorithm out today (DES? AES?) we talk of 56 bit easy to crack, 128 bit harder. If as geeks we are so concerned about distributed brute force attacks why not just up the key size to 1024 bit no wait with today's bandwidth make it a 2Mb (2048 bit) key? I mean really is a key the size of 2048 bit really going to slow down the transmission? No less then streaming you favorite internet radio and video sites. So assume proper key management, and properly secured end terminals. The transmission of the data is the week point bump up the key size to be so astronomical that no for of distributed computing would be able to hack it till some time in 50 - 100 years from now. By that time the information itself will have been expired. Or am I totally wrong in thinking this?

Re:PGP

I hope your scp setup has chroot cages set up, because otherwise, your clients can go poking around the rest of your SCP server and potentially do all sorts of damage. Keeping them from overfilling /tmp and /var/tmp on the server is difficult enough. Keeping them out of /etc/passwd to find account names is even more awkard: a secured SCP server is fairly awkward.

I've been seeing a few recommendations to instead use WebDAV over HTTPS. There are plenty of Java based clients, chroot cages are built in, and Windows has direct access to it over a browser for download, and using hte 'Network Connections' for upload. I also understand that is supports SSL keys quite well, for public/private key access. I don't really care if /tmp or /var/tmp get filled up, they're both on separate partitions and logs are sent elsewhere. When they are full, I will get an alert and know that something is amiss, dig deeper, and shut off access. Knowing account names in /etc/passwd is a little bit more problematic, but since the user would already have a login to the server I'm not so worried about it. There are many other less secure places to find user names that I have no control over.

Re:PGP

[gratemyl]

56+n bits <= 1 ^ ( 2 ^ n) = 1 day! Gotta love being pedantic:

56+n bits <= 1 ^ 2n

Which is still 1 day.

Re:PGP

[skeeto]

Passwords should never, never, never be sent in the clear

Except if you are logging into some kind of news-for-nerds website, I guess. :-P

Re:PGP

Rot-13 is pretty secure - but I would run it through twice just to be sure.

Re:PGP

[MikePikeFL]

FTP still has its place. If you are already going over VPN, FTP can be way better than SMB if say, the link dies at 699MB of a 700MB file. FTP resume performs miracles with an appropriate client (read ncftp). scp/sftp don't regularly support resume (I think there are some hacks out there), and sometimes rsync isn't universal (Win32, permissions, and rsync can do some evil things).

Obviously it all depends on the platforms in use, the links' reliabilities, the links' speeds, the criticality of time, one's patience, one's pain threshold, etc. YMMV.

Re:PGP

[gratemyl]

You're a bit closer, Foldarn ;)

Intelink is actually connected to the Internet, but only at a single point: https://www.intelink.gov/

Not that it makes much of a difference anyway.

Re:PGP

[Foldarn]

Ooh, I stand corrected good sir! I'm just waiting for a www.goatse.smil.mil

Re:PGP

[gratemyl]

That doesn't mean this data stream cannot be cracked.

However, the effort required to crack it makes it unworthy of cracking. I think that's what you meant to say.

Re:PGP

[gratemyl]

You know, Enigma itself isn't broken "as such" -- it is simply that the Germans (yes, I am one of them) used the Enigma incorrectly.

They repeated the message key (i.e. they encoded it twice) so Turing was able to host something similar to a plain-text attack. Considering the key-space was not that huge, and he had all the resources he needed, it got easy.

When the German Navy stopped encoding the message key twice, they resorted to stealing a code-book (one of the books with the master keys, you know, like a keyring these days).

Re:PGP

[ahabswhale]

Every place I've ever been that uses VPNs always requires the client machine to have VPN software running locally on that machine. Anything else (like connecting to another machine that will do the encryption) is super-n00btastic. I don't know anybody who does stupid shit like that.

Re:PGP

[Hatta]

How else am I going to transfer media to my xbox? There's an FTP server in the bios and in my dashboard app. Should I install linux on it, so I can scp everything? How would I install linux without the FTP first though? Is there a bios I can install with an sftp or rsync server?

In the lab, we use FTP to copy our images from a NT machine hooked up to a phosphoimager. Could I set up sftp on it? Sure, but why? Anyone can walk by the phosphoimager and get the password off the sticky note anyway. And then I'd have to educate everyone in the lab about sftp. Samba could work I guess, but I'm not sure if we're on the same domain, or if that even matters. Windows networking is a mystery to me.

And sometimes, the security of the host system is a lot more important than the security of the data. Setting up a read-only chrooted anonymous ftp server, something that's well audited like vsftpd or openbsd's ftpd, really can't be beaten.

Re:PGP

[nbauman]

ROT-13 isn't too secure. If you ever use it, you should encrypt it twice.

Re:PGP

[Pike]

Use either TCT or CTC.

Re:PGP

[TravisO]

This guy is a consultant, he should be on site and loading the data without every leaving the network. Once it's outside the network, it's as good as stolen. Do you really think he's going to remember to permanently delete his email, what about his temp file created when he unzipped the data or the unzipped & decrypted file he imported (that he didn't delete because he might need to flush and import again? If he gets a copy of it outside the network, chances are he's got 1 or 2 copies of it unsecured in his laptop/desktop that will stay there until the HD gets formatted.

Re:PGP

[Daimanta]

Ok, brute for this:

DOJ DSKN

it uses a one time pad if you are interested in the encryption

Re:PGP

[Locklear93]

It's amazing how often I hear people argue against encryption by saying something like the "enough time and enough power" argument. It just doesn't hold water. The amount of power and time needed to crack good encryption by brute force is insane. "Why bother, they can get into it if they try!" Maybe their great, great, great, great (ad nauseum...) grandchildren can, but by then whoever encrypted it will have long since died with their data secure. Hell, if you're only worried about it in transit (and willing to use less/no encryption once it's where it's going), you could do something like TrueCrypt offers, and encrypt it with AES, Twofish, and Serpent, cascaded. Performance isn't practical for working with it like that, but there's no way in hell anyone's getting into the data in the next eon. Of course, depending on the amount of data, it could be a week before it's finished decrypting, too...

Re:PGP

[turbidostato]

"Ok, brute for this:
DOJ DSKN
it uses a one time pad if you are interested in the encryption"

While I see your point, one time pad *is* crackeable. A message is never an island (if it is valuable, that is) and lives within a context. In this article, you already know the decyphered data will render "SSN, Name, Birth date, etc.". Not to say such a big message would be decipherable, but given the same amount of previous knowledge, yours would be trivial, provided it's a text message (a number would be undecipherable anyway, due to the lack of redundance on the message in the clear).

YOU CUTE.

Re:PGP

[drinkypoo]

How else am I going to transfer media to my xbox? There's an FTP server in the bios and in my dashboard app. Should I install linux on it, so I can scp everything?

you're supposed to install xbmc as your dashboard; it has an SMB client and a file manager.

In the lab, we use FTP to copy our images from a NT machine hooked up to a phosphoimager.

You use FTP to copy images from an NT machine? Why not some SMB client? Samba again. NT authentication is dramatically more secure than some plain text FTP passwords, and is probably already a vector for attack against that system anyway.

And sometimes, the security of the host system is a lot more important than the security of the data. Setting up a read-only chrooted anonymous ftp server, something that's well audited like vsftpd or openbsd's ftpd, really can't be beaten.

This is not one of those times, though...

Re:PGP

[drinkypoo]

something you have, something you know. Ideally you have both certificate and password. (Or a password-protected certificate, woo hoo.)

Re:PGP

[SanityInAnarchy]

That's not the point. I realize that your VPN may require per-user authentication to connect.

But what happens once you're connected? Anything on your machine can FTP to 10.1.2.3 or whatever. That's why you need a password on the FTP.

It means that you can actually use FTP, or Samba, or any other unencrypted protocol you like -- transmissions won't be intercepted, which is nice. But you still need per-user authentication for any protocol used on top of the VPN.

Re:PGP

[SanityInAnarchy]

FTP can be way better than SMB if say, the link dies at 699MB of a 700MB file. So can decent file utilities. SMB will let you seek, so, long story short, I can do this on Linux:

dd if=/some/samba/mount/file.iso of=/my/local/file.iso bs=1M seek=690 skip=690

That assumes, of course, that the file is actually copied to the destination, and not to some temporary file which is nuked in the event of failure. But you could easily have the same problems with FTP.

Obviously it all depends on the platforms in use, the links' reliabilities, the links' speeds, the criticality of time, one's patience, one's pain threshold, etc. YMMV. much better ways of managing websites, I think SMB (or anything similar) is a lot more convenient than FTP.

Re:PGP

[SanityInAnarchy]

And then I'd have to educate everyone in the lab about sftp. The horror!

Click here, click here, and done. Even easier on Linux -- type a fish URL into Konqueror, and done.

How'd you educate them about FTP in the first place, then?

Samba could work I guess, but I'm not sure if we're on the same domain, or if that even matters. Depends how secure you want to make it. Given that you're using FTP now, it would be pretty trivial -- just setup anonymous access with a password (a few clicks on any Windows server, and Samba is about as easy). It doesn't even need to be on the same subnet, just type \\1.2.3.4 into your file browser on Windows, and you'll connect.

And sometimes, the security of the host system is a lot more important than the security of the data. Setting up a read-only chrooted anonymous ftp server, something that's well audited like vsftpd or openbsd's ftpd, really can't be beaten. Given that any Samba server is going to support dropping to a user anyway, I think the only thing you've got on that is chrooting. Then there's scp/sftp, which is at least as audited, I would think.

Re:PGP

[Hatta]

I have XBMC as my dashboard. I can use mput in ncftp to store a game or video on the hard drive, and have it be ready to play when I get there. Using SMB requires me to share the directories in question, drag my lazy ass to the other room, navigate to the appropriate places in the file manager, copy, then go back to the computer and wait.

The NT machine was set up long before I came here, and will probably be there long after I leave. There is some sort of firewall in place, I'd imagine opening the SMB port on an NT machine would expose it to a lot more attacks than running wu-ftpd. FTP password security isn't important in this case, the FTP user isn't a real windows user, anyone can get the password from the sticky note, and honestly they should have just set it up as anonymous FTP.

None of that actually matters of course, I just think there's a point to be made that FTP has its applications in some trivial environments where simplicity is more important than security. TFTP would work too, but more people have FTP clients.

Re:PGP

[asc99c]

Network to network VPNs are pretty common and extremely convenient and easy to administer. Many people will have used them frequently without ever knowing.

At work, if I type in 10.244.x.x (e.g. local LAN address) a Cisco VPN box automatically networks me up to another office.

If you work in a company with multiple offices, there is probably a regular need for the offices to communicate electronically (e.g. access to admin systems / shared documents etc.) and there is probably no budget for a fixed line connection. Having to constantly manually connect to a VPN each time would be a huge pain in the ass.

Re:PGP

[blueg3]

The important thing is that it's very, very easy to make the encryption itself the strongest link in your security system. If you encrypt with AES-256, then you have to worry about everything but the encryption itself. They might hack into your machine and steal the key, bribe someone to just give them the key or the data, or kidnap you and torture you until you give it up, but they won't brute-force the encryption. All other methods of getting what they want are easier.

Re:PGP

[Locklear93]

Well of course. All the problems you mention, though, could occur any time you make your data anything but severely vulnerable. Torture can't be easily helped, but there are ways of making it harder to get the desired result (keyfiles you don't have quick access to, for example), assuming the data is important enough to prepare for torture and accept it. PEBKAC problems are always going to be there, and always have to be dealt with or prevented; encryption doesn't make people unstupid. Sadly, I'm yet to find anything that'll do that. I thought I was in luck with an old UT2k3 patch with the note "makes players brighter," but that didn't seem to do it either.

Re:PGP

[Antique+Geekmeister]

Really! Then the corporate VPN sservers between remote installations and the dedicated VPN gateways between them are also super-n00btastic? It's a common approach for companies with shared resources in remote locations, it allows access between the networks for simple devices or legacy systems that cannot handle installing a VPN client, and saves a lot of time and manpower setting up the clients on their individual machines. The laptop VPN clients are for travel and home use, and there, I'd agree that connecting a local subnet to theh VPN is unwie. But I've seen 4 corporate setups like this in the last 2 years, 2 of them in internatioinal setups. It's fairly common.

Re:PGP

Oh, nothing to worry about then!

I would have typed a longer, more in depth message, but I've got to get back to explaining to angry users why I've revoked there keys. *grumble grumble*.

Re:PGP

Consider IBE. Check out www.voltage.com

Overcomes some of the hard stuff in PGP and others

Re:PGP

[blueg3]

Oh, sure -- the only point is that once your encryption is stronger than all your other points of failure, it's no longer worth caring how strong the encryption is.

Re:PGP

[Hoch]

Actually, no. An extra bit doubles the work for a brute force attack. Do the math.

Re:PGP

[chasd]

WebDAV using HTTPS ( SSL ) is an excellent solution.

1)
No special firewall settings
2)
Works through proxies
3)
No special client software, since it is built into Windows, OS X, and Nautilus

These top three make it so no IT involvement is required on the client end.
Also:

4)
When using apache as a server, it allows many options for authentication
5)
Easy to have individualized shared areas

Re:PGP

[mark0978]

What is the point of using PGP to send a package to someone that obviously is clueless about security? They just wanted it emailed, if that is the case, then why give them the data at all. How do you know that once the data is outside your network, it will be cared for? If the intended recipient is not trustworthy, you might as well post it on a publicly available URL. We don't allow kids to drive because they aren't ready to take on the responsibility, I wouldn't give data to people that were clueless about security

Re:PGP

[LordActon]

e-mail isn't really a practical solution for a large volume data set

People keep saying that. Why? An email server specifically set up to receive large attachments would work just fine, as long as the sender's system isn't constrained.

On the wire, email is is a plain-vanilla file-transfer protocol, indistinguishable from ftp. It has the advantage of providing almost no attack surface, because the sender can't log in. As long as the data are encrypted, it's about as secure and reliable as can be.

Re:PGP

[Antique+Geekmeister]

You've just described the problem wiht IPsec setups. The server has to support tools not necessarily built into the file sharing system itself. There's also the issue of sniffing the traffic on each side of the IPsec tunnel, and handling the multiple channels needed for FTP makes it that much more complex to support. And there's the issue of corporate clients, or thin clients, where they're not allowed to install non-approved software.

Sending passwords to people via USPS or registered mail is expensive, and relatively slow, and doesn't protect the passwords from being stolen if the site is going to exist for long. Securing data transfers takes thought, and planning, to fill the server's needs and the client's needs andn abilities.

Re:PGP

[Eskarel]

Because it's not indistinguishable from ftp. Ftp is a two server protocol which is designed to transfer files. E-mail is a service which can go through any number of servers all but two of which will be outside your control and which was designed to send small amounts of text. Even attachments in SMTP is a bit of a nasty kludge as much as we've been doing it. It's not the right solution to the problem.

Re:PGP

[LordActon]

I grant all your points, although I don't know why you say attachments are a "nasty kludge". I don't know what it means to add a kludge to a message transfer protocol that is free to mangle the message. No "\nFrom"? Please.

We're making different assumptions. I assume receiver controls his DNS and can configure SMTP hosts special to the purpose. Not only that, but it really isn't gobs and gobs of data the OP is sending, unless his company employs half of China. I'd wager even money their regular email systems handle attachments that big all the time.

If you set up your DNS with MX names under your control and spec them appropriately (and the sender does the same) SMTP gives you a one-hop file transfer system with redundancy. No firewall gimickry, no passwords, no shell. More secure, more reliable, and simpler to use than anything else.

Re:PGP

[Grendelshitsuren]

Pig latin rules!

Password protected PDF!

[Boogaroo]

Redacted using FBI security techniques will guarantee absolutely nobody will be able to see it.
Make sure you send the password with the file.

Re:Password protected PDF!

[genderbunny]

Nice, but it will never be as secure as sending a Word document with the font changed to Windings.

Re:Password protected PDF!

[gmpassos]

Will be more secure send a doc in a strange language!

Re:Password protected PDF!

[morgan_greywolf]

Nice, but it will never be as secure as sending a Word document with the font changed to Windings.

I once had a boss who really did this and thought it was a good way to protect secret information. No, I am not making this up.

Re:Password protected PDF!

[enoz]

Send it in OOXML, Word won't even open it!

Re:Password protected PDF!

I agree about that. Here's a live shot of a (formerly) large-ish corporation encrypting their proprietary source code in the Symbol font. I mean, it was so encrypted, they could show it in a PowerPoint presentation in front of the public!

Re:Password protected PDF!

[gmpassos]

Best idea! Will be so secure that no software will be able to open it anymore.

Re:Password protected PDF!

[Z00L00K]

If just both end get an email certificate and makes sure that the documents sent by email are encrypted you shall be fine.

The only catch is that the mail programs are so inferior when it comes to make security easy.

Otherwise a VPN connection would be the best alternative and then have a document share that's very restricted.

Couple idea's

[Drakin020]

Why not some kind of secure FTP Server for her to download it?

Or if the area is not to far, why not burn it to a CD or some other kind of media and physically take it to her.

Re:Couple idea's

[77Punker]

How about SCP over SSH? As far as I know that's quite secure and I can tell you from experience that it's damned easy to set up and use.

Re:Couple idea's

[Rorschach1]

Or if it needs to be sent across the country, use registered mail. Registered mail (not certified mail) gets locked up and tracked very closely. It's way more expensive than regular first class mail (about $10 for a letter) but it's cheaper and more secure than, say, FedEx.

Re:Couple idea's

[pwizard2]

How about SCP over SSH? As far as I know that's quite secure and I can tell you from experience that it's damned easy to set up and use.

I was about to say that, but you beat me to it. If I really wanted to protect something good, I would prepare a small truecrypt volume
If I wanted to be really devious, I would make a 700 MB truecrypt file, name it after a well-known movie, and then give it a .avi extension before sending it out (probably on CD, since 700 MB downloads still take time these days) . If it is compromised, it would simply look like a media file that the interloper's player software didn't have codecs for (unless they knew what it really was) or simply a broken/corrupt file.

Re:Couple idea's

[alcourt]

scp creates a problem of securing the remote machine. Generally, I advise a SSH passthrough mechanism, using forced commands to restrict the writing to a filename chosen by the receiver and ensure that the account cannot be leveraged to copy other files, or eliminate the security protections and get a full shell. Since the key item of the fingerprint can be validated via out of band mechanism (telephone), it is feasible to ensure that the public key being installed is appropriate.

However, as we are talking about Sensitive Personal Information (SPI), the data should be encrypted at rest, not just in transit. While many have suggested GPG/PGP, that fails because in order for the data to ever be utilized, it has to be decrypted on disk and it will then stick around. Some have suggested truecrypt, which, when used where that works, is a good choice. The key answer depends on data not provided: platforms used by the different parties, direction of traffic, one time transfer or not, format the data currently exists in (is it in a database?), etc. For example, if this was a regular transfer and mainframes were involved, I'd advise using Connect:Direct with SecurePlus of data where the individual sensitive fields are encrypted. Commercial product, but sure beats the socks off anything else I've seen proposed for getting files reliably to mainframes. (And yes, that product is available for Windows and Unix).

The nice thing about many databases today is the fact that one can encrypt individual fields or columns of a tablespace. That provides a mechanism to ensure that the data remains encrypted and is only decrypted on an as needed basis.

Re:Couple idea's

[77Punker]

Come to think of it, if this is a relational database, I say don't send it to them. Just give them an account with limited access because even if it is Truecrypted, you're still waiting for someone on the other computer to fuck up.

By Hand

[rueger]

Deliver it by hand.... if you're lucky they'll give you one of those cool attache cases that handcuffs to your wrist.

Re:By Hand

[Dirtside]

No, if you're lucky, they'll include a key. If you're not, they'll include a hacksaw.

Re:By Hand

[jfinke]

and get a reciept saying it had been accepting and what the consultant's responsibilities are in handling the data.

Re:By Hand

[Hes+Nikke]

and get the receipt notarized for crying out loud!

Re:By Hand

[Reece400]

Yes, Have a lawyer draft up a good solid disclaimer to be signed by the consultant/consultant's organization. No matter how secure it is in transit, it's once it's in their office you may really want to worry about...

Re:By Hand

[Repton]

Seriously --- why not? Stick the data into a truecrypt volumne on a USB thumb drive (or USB hard drive, for big data). If the contractor is nearby, walk over and type the password in yourself. If not, courier it and use encrypted email to transmit the password (or just tell the guy over the phone).

Re:By Hand

[jfinke]

The name of the game is transferring the risk. ;)

Re:By Hand

[Hungus]

Absolutely! Or send 2 couriers, but they should by no means be sent together, nor should they be sent by the same courier company. Contact a licensed security or private investigation firm in your area as they are bonded and frequently have secure couriers at a minimal charge.

Re:By Hand

[Cyberia]

How about plastered all over the side of a truck, like a certain CEO? Hey, if it's good enough for him, it's gotta be safe! And you have witnesses, and I'm sure they will swear that the data was delivered too, intact.

Re:By Hand

[morgan_greywolf]

Two words: Johnny Mnemonic.

Re:By Hand

Don't trust the phone unless you are certain it's secure (not sure how that works). Big brother is listening.

Re:By Hand

easily defeated with a few lines of code

class grab_data
{
      public void stun_gun()

      public void machete()
}

Re:By Hand

[RiotingPacifist]

Its ok make sure you use a navajo code talker
http://xkcd.com/257/

Re:By Hand

[JSThePatriot]

If not, courier it and use encrypted email to transmit the password (or just tell the guy over the phone).

I would like to point out that while we're discussing all this information about being secure that several times people have mentioned passing information over the phone as a secure method of transport for passwords or other secure information. Without having a secure phone line (not available to many people) you are still creating a weak spot in your plan.

Re:By Hand

[marhar]

No, if you're lucky, they'll include a key. If you're not, they'll include a hacksaw.

Or if you're really unlucky, a machete.

Re:By Hand

Exactly what we did with a huge data archive. We of course had contracts and confidentality agreements in place, the only issue was the transfer of about 9GB of sensitive data.

Re:By Hand

[Endareth]

Actually I'd tend to agree, especially if it's in the same geographic area. Except I'd use an IronKey flash drive to maintain security.

Re:By Hand

[StarfishOne]

Hmm.. how about (an encrypted) Skype (call)?!?

Re:By Hand

[cp.tar]

The handcuffs are not, as both British and American secret services have demonstrated a number of times, meant for prevention of cutpurse-style data theft, but for prevention of data loss due to forgetting the damn case in the cab.

Re:By Hand

[ze_jua]

+1

If you have to do this just one (or few) time, just burn a DVD or record a tape, and give it by hand (or by a trusted carrier).

The file(s) on the media can be encrypted to avoid problems if the media is lost|stolen|trashed before to be destroyed.

Re:By Hand

[Mr.+Moose]

And if you are really, really unlucky, it will be inside the case.

Re:By Hand

[Tim+C]

Personally I'd burn it to CD or DVD rather than put it on a drive if it's that sensitive. Much much easier to destroy once it's finished with.

That said, I'd need to hear a damn good reason before sending the real data over in the first place, especially if the final installation is going to be on-site. Send them some anonymised dummy data; problem solved.

Re:By Hand

[Ceriel+Nosforit]

No seriously. Not 'Funny', but 'Insightful'. If you care at all about security, you do not send your sensitive data over a hostile network. In fact, the data should never even be accessible from a hostile network.

Minimum security in this case would be to require the receiver of the data to work with the data on a computer which is not connected to a network, because once malware infects their network no amount of encryption will keep the data safe.

Put the data on physical media and have it delivered by a security company that does transport of valuables.

Now if you were SERIOUS about the security, what I've mentioned previously being only minimum security, you would further require physical security at the receiver's location. Not just the security that placates insurance companies, but the kind that aims to actually PREVENT theft.

Re:By Hand

HR: This is our most sensitive data. We need you to take every precaution in delivering it [Hands you the cool looking attache cases that handcuffs to your wrist...]

You: Wow, this is an important assignment. How do I get this thing off my wrist to give to the consultant?

HR: [hands you the hacksaw...] We expect that case to be returned undamaged.

Re:By Hand

No, if you're lucky, they'll include a key. If you're not, they'll include a hacksaw. Hopefully not one too dull to cut the handcuffs...

Re:By Hand

How do you know you're giving the password to the right guy over the phone?

Re:By Hand

[Repton]

Without having a secure phone line (not available to many people) you are still creating a weak spot in your plan.

Yeah, but you're changing the nature of the risk.

If I stick the data on a thumb drive and carry / courier it to the consultant, the primary risk is that either I or the courier company will lose the thumb drive and that an opportunistic finder will take advantage of the sensitive data.

A secondary risk is that I will be mugged, or the courier company robbed. Much lower.

Finally, we get to the risk you're talking about: that a malicious organisation has tapped my phones, and plans to track and intercept the courier carrying the data. As a risk, this seems to me vanishingly small, unless you work with incredibly sensitive data. And, hell, if your enemies can tap your phones, they've probably got better ways of getting at your data anyway.

Remember, you can't eliminate risk. There's always the chance that someone will grab your encrypted data and guess the password. You have to choose what level of risk you're comfortable with.

Re:By Hand

[JSThePatriot]

Repton,

I appreciate your response. That is what I was pointing out they are simply changing the risk. There's never a way to remove all risk. If someone wants something they will get it. Not saying not to try, but there's certain limits that go beyond reasoning. A phone call isn't one of them, but I was trying to point it out that people will get what they want. You have to be reasonable in your choices of security measures.

Just my 3.25 cents.
JS

How would I prefer to send sensitive data?

[Orange+Crush]

Not at all if I could avoid it, that's for sure. Why can't the consultant import the data into the new package on-site? Even the most secure transmission method can't stop someone outside of your control exposing that data. I'd be talking to my HR people and begging them not to send this data out. Probably a good idea to talk to Legal too.

Re:How would I prefer to send sensitive data?

[rah1420]

Not at all if I could avoid it, that's for sure.

Second this. Depending on what kind of data, you can run afoul of many many laws if the data becomes compromised. My wife's company has this issue with health care data, and HIPAA laws are so damned toothsome.

Have the consultant import the data on-site, and make sure that company assets are used to do this so that the data doesn't leave.

Re:How would I prefer to send sensitive data?

[pushf+popf]

Put it on a DVD and hand-deliver it and have them sign for it. Make your boss give you a signed document authorizing the release.

Re:How would I prefer to send sensitive data?

[Ethanol-fueled]

1)Make haphazard arrangements for sensitive data to be transported offsite. 2)??? 3)Report "accidental" data loss and receive a slap on the wrist, if even that. 4)Split mysterious cash flow between the Russian Mafia, the consultant, and the corporate bigwigs. 5)Profit! 6)GOTO 1

Re:How would I prefer to send sensitive data?

[Tex2000]

The policy in my current company is that NO DATA is shared unless we have a "Non Disclosure Agreement" (NDA) Signed with the company/consultant that needs to work with our data. Have your legal department prepare such an agreement with items such as penalties for improper use of the information..

This kind of agreement sometimes scare consultants or companies, and it's cause for some struggle, but in the end if they can't handle the responsibility over your data then you should find someone who can.

Re:How would I prefer to send sensitive data?

Standard practice with medical records at large medical centers with EMR's is to send dummy data for development. Final data load occurs only within the controlled environment. If live data is truly needed there better be a VERY good reason -- which really means a reason that'll go so far up the decision making food chain that it'll take six months or more to release the data to the extra-mural entity.

Re:How would I prefer to send sensitive data?

[maz2331]

NDA's are only scary if they become overly broad in scope, and can apply to other activities that don't compromise the "data" disclosed.

Re:How would I prefer to send sensitive data?

I agree. The consultant should be able to import data on site or provide instructions for doing so. A true security consultant should be able to write the scripts / queries necessary for data migration by only knowing the said data format's specifications. The consultant should not need physical, unencrypted, viewable access to the data. Besides, if it is a database, the SSN's should be stored with reversible encryption (as should credit cards). Thus verification of the migration can be done by comparing the encrypted strings stored in each field of the database.

Re:How would I prefer to send sensitive data?

[pmsbony]

Third this. surely for testing purposes the consultant only needs a data set that is functionally correct, rather than actually giving the live data. As long as the sensitive data is valid (right number of characters etc) that should be enough for them to be getting on with. If they absolutely had to have the real data then they would do it via a machine provided by me with full hard drive encryption including the software they needed to do the job.

Re:How would I prefer to send sensitive data?

[wkk2]

I would also seed the data with a few extra bogus records so if it ever leaks you will be able to identify the source.

Public-key crypto

[chrylis]

In particular, I'd suggest using PGP. It supports authentication of the data and is easy to use for individual files.

Ask the recipient to provide a public key over a known-secure channel (such as by courier).

Re:Public-key crypto

[tmj0001]

A public key can be just that - public - without loss of security. They can send it on a postcard, or paint it on the outside of their building, or even post it on their web site.

Re:Public-key crypto

[RKThoadan]

While its generally true that the public key should be public, the issue then becomes just how do you know whose public key you are getting? You should attempt to authenticate that the key you have is indeed their key.

Re:Public-key crypto

You don't say which country you are in and the consultant is in. In many countries (most of Europe, Australia etc.) there would first of all be the responsibility to ensure that this information was to be handled consistent with the relevant privacy laws in your country. There may be additional company policies which may possibly be more stringent than this (eg. you are working in the USA but the company is transnational requiring it to have stronger policy than USA law).

Then to the easy part, the technology that should be used ... others have already suggested appropriate encryption. Any well regarded PKI-based approach should be suitable, including sending a file encrypted by PGP, or using an encrypted channel such as SFTP or HTTPS to send a plaintext file.

Re:Public-key crypto

[Zentrus]

A public key can be just that - public - without loss of security. They can send it on a postcard, or paint it on the outside of their building, or even post it on their web site. I hope you mean a SIGNED public key that is signed by a key you already trust. If the company is sending out unsigned public keys and using them, nothing would be preventing someone else from claiming they are the same company.

Re:Public-key crypto

[pincho23]

That's what fingerprints are for. Just pushes the problem one step further, but they are short enough to somewhat reliably compare them by hand.

TrueCrypt?

Is there any reason you just can't email a TrueCrypt volume and tell her the password in person?

pgp on a dvd or flash drive

[rboatright]

unless the data set is so large that the answer is pgp on an external hard drive shipped by fedex. and send the password by a SEPERATE CHANNEL. I prefer to send the key by TELEPHONE -- spoken, but that's up to you.

Re:pgp on a dvd or flash drive

If it's PGP then where does a password come into it?

And telephone? OK it'll stop Joe Mail-Theft for getting it but if there's one thing that should be painfully obvious by now it's that the phone network its wide open for anyone who's willing to put down a relatively modest amount of effort into it.

Re:pgp on a dvd or flash drive

[spazdor]

that's okay. If you're willing to go to the work of a key exchange over the phone, you might as well tunnel it.

Generate a keypair and instruct the remote party to do the same. Exchange public keys, then sign the HDD key with your private key and encrypt it with the remote party's public key. Then you both have the assurance of having heard (and presumably recognized) the other's voice, and you have guarded the transmission of the HDD key against eavesdroppers.

Re:pgp on a dvd or flash drive

Telephone is not a secure channel of communication. Cell phone? Easy to tune in your cell frequency with a consumer radio meant for cellular frequencies. Landline? Chances are somewhere along the line parts of the conversation are being recorded. The only secure option would be a direct encrypted VOIP communication w/o an intermediary server.

Re:pgp on a dvd or flash drive

[Fri13]

1. Use PGP (GPG)
2.a Send data if small size, trought email.
2.b Send data if big size, trought signed delivery

There is no need to use password for it. Just ask other side to make secure PGP key and send it to you and crypt+sign data with it and then send it.

If there is need to have password for data so package is self extracted, send data one way, and password by other. Hide it among other information. Make a table of letters and numbersand hide it there. Then call to person who got the data and tell him coordinates where he can find password and how long it is.

If you need to send mail (fedex, UPS etc) send first package by one company and other information by second, so if other is compromised, package is still safe.

Re:pgp on a dvd or flash drive

[rboatright]

you're right of course... never post when sleepy.

Re:pgp on a dvd or flash drive

[rboatright]

digital cell signals are non-trivial to intercept. almost all analog cell signals interceptable with a scanner were discontinued in Feb.

Re:pgp on a dvd or flash drive

[rboatright]

Never post while tired... key not password. and key exchange by SOME channel other than the one that you ship the data by. Neither channel may be totally secure, but by seperating the key exchange and the data you require compromising BOTH before you can get at the data.

Re:pgp on a dvd or flash drive

[Hatta]

You speak an entire 1024 bit pgp key over the phone? That's insane. Why not just email them your public key, and tell them the fingerprint over the phone. At least that's just 40 hex characters, and not 128 characters of random ASCII.

Re:pgp on a dvd or flash drive

[Jaxoreth]

unless the data set is so large that the answer is pgp on an external hard drive shipped by fedex.

and send the password by a SEPERATE CHANNEL.

I prefer to send the key by TELEPHONE -- spoken, but that's up to you. Also, make sure you send the telephone by FedEx.

Locally

[thedarknite]

I'd get the consultant to come to the office. If the new software is going to be run onsite, there should be no reason why the data needs to leave. But if it does need to be taken offsite then having the consultant come in to collect it makes them responsible for keeping the data secure.

If she's cute....

[EmbeddedJanitor]

Take some of those fur-lined handcuffs too. Do it on a Friday and get the weekend.

Even public-key is too complicated

Straight symmetric encryption with a key recited over the phone. No need to mess around with public keys and importing them and all that.

Secure FTP

[Dirtside]

FTP over TLS is a decent and simple way.

Sending sensitive data isn't that hard.

Send all the data via FedEx on a CD, in an encrypted file. Send the password via e-mail.

Of course, this doesn't address the issues revolving around exposing all this data to your consultant to begin with.

Re:Sending sensitive data isn't that hard.

FedEx not that good - doesn't deliver everywhere (as advertised).

E-Mail

[bluefoxlucid]

Deliver the data by e-mail, but store it such that it's determined losing it does not present plausible risk. I mean what other options do you have? Authenticated download over SSL perhaps.

PGP maybe. Say we PGP encrypt an e-mail. We now rely on the secrecy of the recipient's private key. This means we rely on the recipient's security infrastructure to properly protect a piece of data until the data we transmit has become non-useful (this includes destroying all copies of the key -- when actually done, we guarantee the key remains secret forever). Can we trust this? Not really.

Well with SSL, the certificate gets verified against a CA signature. The client automatically establishes encryption in a secret way (randomly generated public key, sent to server, which sends a signed and encrypted session key) so we know no third party can eaves drop, without any infrastructure on the client end. Now, this is where I pull up Ettercap in the next hotel room over, and the client clicks "Accept certificate temporarily for this session" when it warns him my MitM cert is self-signed. Again, can't trust this.

Well, let's hand it off on a USB flash drive. Does he lose it? Leave it in his car? Hell, it's now on a storage system at another company with odd security practices. Again, out of your control.

All solutions suck. Transport isn't an issue, it's ensuring data confidentiality at the destination (including any encryption keys used to secure the transport, as well as the decrypted data itself once stored at the other end).

Re:E-Mail

[xaosflux]

The security of the vendor is what needs to be considered, secure data should only be given to trustworthy, secure entities. BEFORE contacting the vendor, they should be evaluated with industry standards such as SAS70-II. After that, data encryption is much more secure then transmission encryption, use PGP/GPG with public keys, if the vendor can't/won't but you still must deal with them use PGP self-decrypting-executables with a STRONG passphrase.

Re:E-Mail

[this+great+guy]

The most secure solution is the following one: put the data on a laptop using full-disk encryption and a hardened secure OS install. Send the laptop to the contractor via UPS/Fedex. Give him the password in-person. Explicitely forbid the contractor to move the data out of the laptop. Of course, let her install the tools she need to process the data on the laptop itself. When done, she mails you the laptop back.

Re:E-Mail

[this+great+guy]

Give him the password in-person

Oops the rest of my message was assuming you can't physically meet her. So by order of preference: email+encrypt it, or give her the password over the phone, or mail it in an envelope a few days apart from sending the laptop.

Basically the hardened OS config will defend against what I think are the most likely threats: inexistent or bad IT security policies at her site/company.

Re:E-Mail

[owlstead]

The trick with PGP is to send the public key using email (if possible, let multiple persons sign the key first). Then call the person that is to receive the key and tell him the key signature. He can check after importing if the key is indeed the right one. Or SMS it to his cell phone.

Even without these measures, what is the chance you get the wrong key just as your contact send his key to you? With the same from address? Quite negligible I guess. The PGP protocol is pretty secure, and I don't see too many attacks on 2048 bit DSA keys (the default) in the near future.

Another advantage: everyone can download GPG for free and you don't need to setup servers etc. for it to work. If you don't like the stuff in your mail client you could just encrypt/sign the attachments.

Two security hints though: mail headers (including the subject!) are not encrypted or signed and not every mail client can handle encrypted MIME messages.

Re:E-Mail

[bluefoxlucid]

Send the public key and have him send you a message encrypted with the public key, then phone you and tell you its contents. Only you can read the message, and only he can know what it said before you tell him. QED.

Physically taking a copy there in encrypted form

[blankoboy]

It's the only way to be near 100% sure it gets there unmolested.

Why not email it?

[MacDork]

The following has been my email sig for years. Did you know that, to date, only one person I know has made use of it?

Learn how to secure your email
(Mac OS X 10.3+) http://www.joar.com/certificates/
(Windows) http://www.marknoble.com/tutorial/smime/smime.aspx

Whatabout...

[FSWKU]

...using TrueCrypt to secure the file then sending it via a secure FTP? It's exceedingly simple to use, and you secure it to your needs. All she has to do is mount the file and type in the password you give her. Tell her you will send the password via another means, and send it via registered mail making sure that there is absolutely no clue on the paper as to what the text means.

Re:Whatabout...

[Cryacin]

It's exceedingly simple ... All she has to do is mount the file and type in the password you give her. Why did I just picture a HR manager straddling a filing cabinet reaching for the keyboard?

Re:Whatabout...

[afaik_ianal]

Something to keep in mind when sending data and key via separate means, is most physical transfer mechanisms are tamper evident, not tamper proof.

If you send the password in a secure envelope by registered post (or by hand), and the recipient receives it, you know there's a pretty good chance no-one else saw it.

There is nothing, however, stopping someone from intercepting it, and keeping it (although you will find out about it)

It seems obvious, I know, but the logical conclusion is that you should always send the password *before* you send the data. That way, you can confirm that the password made it intact before letting the encrypted data out over an unsafe channel.

Short of securing the data channel (and all the key exchange problems that come with it), you don't know if someone has intercepted a copy of the encrypted data. If they then intercept the password as well, it's too late to protect the data.

Re:Whatabout...

[LuminaireX]

Like Paris Hilton on a pineapple?

encrypted filesystem on a USB drive

[gambolt]

If you're talking several gigs of data, put it on an encrypted drive and FedEx it. Send the password or key via encrypted email.

Re:encrypted filesystem on a USB drive

[sconeu]

Seriously, yes.

Back when I worked for a defense contractor, FedEx was legal for shipping classified hard drives.

Re:encrypted filesystem on a USB drive

[TehDuffman]

Its not anymore... We need our crypto in safes and SIPR hard drives in locked boxes with a Marine with eyes on it at all times.

Then again i could get anyone in my Company's SS and what ever else i want so easily its ridiculous but whatever.

Public key is to complicated for a simple one-shot

[RickRussellTX]

Simply use symmetric encryption (AES-256, for example) with a strong random key, then provide the key on a separate hand-delivered or voice-delivered medium.

Public key doesn't really buy you anything in this case -- if somebody grabs their copy of the symmetric key, you're screwed. If somebody grabs their copy of the private key, you're screwed. Protecting the private key with an additional symmetric key doesn't make it more secure.

But explaining to a clueless consultant how to keep a single key secure is a lot easier than trying to explain public key/private key operation.

Simple...

[Jane+Q.+Public]

If this is a manual task, and you are on a *.nix box or similar (OSX too), just use scp (Secure CoPy). If there are lots of files, package them first to make things easy (tar.gz or .zip or whatever), and just scp the file to the other computer. It takes the same parameters as ssh and uses ssh but was designed to just send files securely. With scripting languages you can also automate this process.

Re:Simple...

[mariuszbi]

Or on windows , use WinSCP.

Re:Simple...

[ewanm89]

winscp is an easy to use, gui scp file manager for win32.

Gnupg via Debian Etch

Make sure to install a stock, unpatched version of Debian Etch to ensure proper, secure entropy on your encrypted data.

Dearly,

The National Security Agency

Pinkerton

[tverbeek]

Hand delivered by a trustworthy courier.

Re:Pinkerton

[jamesh]

Or, if the consultant is somewhere nice, hand delivered in person. "Sorry boss, I don't trust anyone else to deliver this keyring sized memory stick to Hawaii."

Re:Pinkerton

[Hanners1979]

Or ninjas.

Don't follow Sallie Mae's example.

[mpaulsen]

http://www.ownrecognizance.com/salliemae.html

"Your account updates are viewable in the attached PDF document. The file is password-protected and you need to enter your Social Security number to open it."

OTP

[Iamthecheese]

Well, the first thing you need is physical security. I would reccommend Blackwater for their premium quality goons. You'll need at least two platoons and a morter squad. Then you'll want to hand-deliver a one time pad to their secure vault, with a completely off-network computer to do the decryption. You can solder off all the connections except a secure thumb drive for the OS and the DVD containing the OTP. You'll have to keep your own copy of the OTP in your own vault. And I highly recommend Windows ME on a Dell for the encryption routine.

Re:OTP

[Lehk228]

I would reccommend Blackwater for their premium quality goons.

when you need genuine grade A goons, the SA forums are the place to go. Blackwater are just imitation goons

Re:OTP

This is not a whole hell of a lot different from when I used to do ATM work. Pretty much the only thing different is that the Dell ran Win2K, and our armed security wasn't from Blackwater.

Re:OTP

[Darth+Muffin]

Only tactical mall-ninja wannabes use thumb drives. REAL operators send a string of goons there, each with one bit.

Re:OTP

I wonder, what could possibly be the use for Windows ME on an encryption machine... but thinking of the debian OpenSSL debacle, I understand.

What could possibly be more random then any task performed on the Windows ME platform.

guaranteed delivery

[Dr.+Cody]

thumb drive in your bum-bum

Re:guaranteed delivery

But then you'd have to wait for the next release cycle.

Re:guaranteed delivery

[fwarren]

What if you come in into intimate contact with a magnet?

GPG? The Open Source Version of PGP

[NeverVotedBush]

I agree completely with Orange Crush. You let that data out and it is now subject to this other entity's security policy.

If you are going to let it off-site, is there a contractual agreement regarding how the data will be protected? Are their security policies audited by a third party? Worst case, does your company's insurance cover financial losses due to a third party mishandling your data?

I'd provide them with dummy data in the proper format to simulate your company's data and do like Orange Crush suggests and put data and application together only on your own premises.

But if you can't/won't do that, I'd say encrypt the hell out of it and burn it to CD, and send it by registered courier where someone has to sign for it to acknowledge chain of custody. Send the key by an alternate method.

Do you know this company's security policies? Are there any kind of investigations/background checks performed on its employees? If it is a small shop, what kind of firewall protection do they use? Is some programmer's kid using his laptop to play games on the Internet and download "free" screen savers or ring tones?

I assume that your data is in there too. How would you want it handled and what would you consider doing legally to your company if the data was in any way mishandled and your information to find its way into some identity thief's possession or posted on the web? What if your identity were to be stolen and your accounts raided or your credit ruined?

I know this probably sounds fairly paranoid and I'm sure a lot of people might suggest easier and less secure approaches, but the reality is that this kind of data is a target and far too many people do not properly protect their business computer systems because they just don't realize how pervasive intrusions and spyware are.

How would you want your data handled?

Re:GPG? The Open Source Version of PGP

[NeverVotedBush]

There are a lot of good posts in this topic. Especially the ones about the legal issues.

These days a big issue is CYA when it comes to people's personal data. As others have noted, be sure to investigate any laws that might define how the data must be treated if it has to go off site. Be sure that your management signs off on the procedure and be sure you can document it.

The days of just letting people download data are long gone. And don't use FTP if you do. Use the secure version (sftp) and encrypt the data before it transfers. That way it's an encrypted tunnel carrying encrypted data. But I wouldn't recommend this method. I'd get a signed chain of custody with media physically delivered and assurances that all copies of the data is completely and securely destroyed and the original media returned when the job is finished.

Best way is not to let the data out in the first place.

Re:GPG? The Open Source Version of PGP

[MyDixieWrecked]

gpg/pgp is great for the transfer... however once it's in the person's inbox, you have no idea what they're going to do with it.

Giving anyone other than my parents personal information about myself (credit card number/ SSN) over the phone pains me. It feels like I'm running a red light every time and I'd rather not do it.

Re:GPG? The Open Source Version of PGP

[denobug]

Well said my friend. I cannot imagine a good reason why would a reasonably sized company would not host their own HR system. Also a half-way descent system like this will most likely have a fairly straight forward data-entry mechanism that anyone with some training can reasonably pickup and process it.

Sensitive data as such should almost always handled in-house, unless the third party and the senior executive will pickup the responsibility should anything go south (not a very likely scenario in most cases).

Re:GPG? The Open Source Version of PGP

And don't use FTP if you do. Use the secure version (sftp)

The acronym for secure FTP is FTPS or FTP/SSL. It uses SSL certificates to authenticate the server in order to prevent man in the middle attacks. SFTP is something else.

Re:GPG? The Open Source Version of PGP

[NeverVotedBush]

SFTP is also used. I guess it has been co-opted from simple file transfer protocol which I don't think is used much any more because of its security weaknesses.

http://en.wikipedia.org/wiki/SSH_file_transfer_protocol

Re:GPG? The Open Source Version of PGP

No, SFTP is SCP with a commandn line interface. It has ***EVERY SINGLE FLAW*** of rcp and scp. It mishandles symlinks, it has no chroot cage built in, it has no graceful 'mirroring' utilities to ease synchronization of bulky materials without retransmitting, it has no verification of matching successful transfers, and is generally a bad idea except where you already provide SCP access and the users have shell accounts.

Re:GPG? The Open Source Version of PGP

[VdG]

These days a big issue is CYA when it comes to people's personal data. It shouldn't be. The issue should be to ensure that valuable/sensitive information is appropriately handled. If you do that properly, then your arse is covered automatically.

Re:GPG? The Open Source Version of PGP

[stephanruby]

Also, ask the HR Director for the phone number and call the consultant directly. You've been given a ton of good advice already, but don't fire off a huge email explaining everything -- making a mountain out of a mole hill. Sometimes a quick informal exchange with the actual developer who requested the data will clear up any issue. For instance, just state your concerns over security, and let the guy himself offer up a solution, the guy may just say, sure just take out the SSN numbers, or "no, I didn't really need all the data", or "actually, I just had a couple of questions". And then, you either accept the offer, or make another counter offer. Usually, it's probably a good idea to exchange phone numbers anyway with such a person. You never know what they might need from you. And you never know what you might need from them. You could hit that guy with a policy and procedures manual, and you could assign him a ticket number, but usually you should reserve such formal treatment for people you don't like or people you don't have direct access to. I say make the call. A quick phone call may solve your concerns, all the while save you hours of work trying to go through a somewhat clueless intermediary.

Re:GPG? The Open Source Version of PGP

[skeeto]

information about myself (credit card number/ SSN)

Note that credit card numbers aren't that big of a deal. In the US at least, you are only responsible for the first $50 in fraudulent charges, so by transferring the number insecurely, such as over the phone as you said, you are risking at most $50. The good news is that if something does happen you will most likely (almost guaranteed) not even be charged that $50. Just be diligent with keeping an eye on your statements.

Debit card numbers are another thing, I believe (not sure). Careful with those.

Re:GPG? The Open Source Version of PGP

Unsuspecting courier or cracker? Genius.

Spy Style

[bsDaemon]

Encrypt the drive and put it in a locked case, handcuffed to your wrist. Have a second person carry the key to the handcuffs and to the case and take a separate train. Just for good measures, send out decoys for both yourself and the man with they. Rendezvous at the consultant's headquarters.

Don't forget to wear mirrored sunglasses.

SFTP

[Nimey]

At least as secure as FTP/TLS and it's firewall-friendly. Takes either passwords or keys, or both.

There's good cross-platform support for the protocol, too, and lots of clients.

Use RSA with AES!

[gmpassos]

Just use RSA with AES.

You create a RSA certificate for you and for the consultant (destiny). Then you create an AES key (session key), and encrypt your data with AES, than you encrypt your AES key with the public RSA key of the destiny. So only the destiny will be able to decrypt your data, using the consultant private RSA key, that will decipher the encrypted AES key, that will be used to decipher the data.

Note that RSA is very, very slow, and this is why you should use AES over your data, and RSA will be only over the AES key. Also creating an AES key for each delivery will be more secure, since you won't use the same symmetric key over you data, and will reduce the possibility to attack your RSA key since the AES key will always change.

All of this are just basic usage of symmetric and asymmetric ciphers. Using this you also can send your data over e-mail, since security is not based in the protocol that you use, but is based in cryptography and math.

You can implement all of this easy with Java 1.6, that will work in many OS and already have support for RSA and AES to do all of the cryptography work. Java 1.5 doesn't have AES, that is the recommended symmetric cipher in this days.

What about once it gets there?

[Geek_engineer]

I would be much more worried about the security after you get the data there. How does the consultant protect his network (wireless???) and physical building? Does he keep the data encrypted so if a computer is stolen, it cannot be read? There are any number of good encryption methods to use in transmitting the data, then phone with the key.

Re:What about once it gets there?

[Swampash]

I would be much more worried about the security after you get the data there.

Speaking as if I was the poster of the original question, I don't care what happens to the security after I get the data there. It's not my problem.

Re:What about once it gets there?

[nine-times]

I guess that depends on your situation. If you're in a position where you can just CYA and not worry, then CYA and don't worry.

However, sometimes doing the wrong thing will get you fired, even if someone asked you to, because you should know better. Also, some people like to do "the right thing" even if doing stupid things won't get you in trouble.

Re:What about once it gets there?

[denobug]

As far as the off-site security, a better question would be:

Why is the management not the one sending this information out instead of YOU, an non-HR personnel, is sending it.

I think you can figure out very quickly if you do care about the security once the data gets there.

Re:What about once it gets there?

[Swampash]

When someone with the word "Director" in his job title "tasks" me with doing something, then you better believe I'll be doing what I'm told and covering my ass while I do it. If the task is "send this sensitive data to a consultant and do it securely" that's exactly what I'll do, and I'll do it in such a way that it can be proven that I did it and how I did it. I don't see any mention of being tasked with assessing the security policies of an outside consultant.

Re:What about once it gets there?

[Tarwn]

Personally I would forget most of the encryption and delivery schemes already mentioned above. None of them account for the security at the end-users site. Even NDA's do not strengthen the end-users security if it has holes (or is non-existent).

Using either the data export or a copy of the database you are exporting, create a series of scripts to junk the data. For the SSN field have it replace all of the digits in the SSN with randomized numbers. Swap values between each recor and a randomly chosen record for the first name and last name fields (independantly, so that no one record has the original first and last name together anymore). Do the same random number digit replace on all street fields. Do the random record swap on all city and state fields. Continue with whatever else you have.

This may take longer than just faking up some data, but it ensures they have real values in data fields for testing, the format of the data is exactly what your real data is, and it should be absolutely useless in the event of a security breach between the two sites or at their site.

Now send burn it to a disc and set it via registered mail to ensure it gets there.

Re:What about once it gets there?

[nine-times]

When someone with the word "Director" in his job title "tasks" me with doing something, then you better believe I'll be doing what I'm told...

And what if the word "Director" is in *your* job title. Sometimes it's not sufficient to say, "I just did what I was told" because sometimes part of your job (depending on exactly what rung on the ladder you exist on) is to speak up when you see someone else in the company about to do something stupid.

I see in the summary that the poster is being asked what his company's security policy is, which implies to me that he doesn't simply have someone higher up to defer to.

If, at your job, someone is asking you what the security policy is, and you're answering the question based on your own judgement-- i.e. you have no official security policy to point to, and you have no superior that you can direct the question to-- then covering your ass is not enough. If your in the position to be using your own judgement, then you had better exercise your judgement. CYA is not enough.

whatcouldpossiblygowrong

[robo_mojo]

The HR Director has tasked me with sending our data out of our network to the consultant that's loading it in to the new package. Obviously this data includes items such as SSN, Name, Birth date, etc.

whatcouldpossiblygowrong

Upon being told that I would not email this data to her, the consultant asked what my security requirements were for sending the data. What would be on your wishlist for the best way to send sensitive data to someone outside your firewall?"

Do you mean you actually do not have a security policy for this? Do your employees know that?

Re:whatcouldpossiblygowrong

[Ixitar]

Do you mean you actually do not have a security policy for this? Do your employees know that? Check to see if your company has a security policy. The HR Director might not be aware of this. If your company does not have a security policy, then raise the issue with upper management. Cite examples of when private data has been compromised through weak security and what it cost those companies.

You can use what you find out here on Slashdot to come up with some recommendations, but it is upper management's responsibility to create policy. That is part of what they are paid for. Section 404 of the Sarbanes-Oxley act requires that an enterprise have a security policy.

If your company does have a security policy, then you need to follow that policy. You are leaving yourself open to liability if you don't.

Re:whatcouldpossiblygowrong

[pthor1231]

Do you mean you actually do not have a security policy for this? Do your employees know that?

Whats so strange about not having a security policy regarding a scenario that they have never had to deal with, and attempting to make an appropriate policy before engaging in said act?

Don't over think this

[Alpha830RulZ]

If it were me, I wouldn't even be worried about FTP for a one time transfer. When was the last time , or the first time, you heard of someone sniffing sensitive data in mid transmission? The vast majority of compromise issues are due to compromise of files on a machine somewhere. You should be concerned about the work environment of the consultant, and procedures there, far more than how you get data to the consultant. Ad hoc work environments are usually far more lax in their controls than a production environment. HR departments are (in my experience) far less knowledgeable about how to protect data than IT types. This is where your risk lies.

We use an SFTP server for transmission of financial data, and I don't lose a bit of sleep over it. You are at much higher risk for either your HR department or the consultant doing something stupid with the source or result files on their network. Your need is just to make sure that it doesn't happen on your watch.

I would be more concerned about making sure that the HR folks and the consultant cleaned up their work files afterword.

Re:Don't over think this

"When was the last time , or the first time, you heard of someone sniffing sensitive data in mid transmission?..."

The first I heard of it was WWII.

I suspect you haven't heard of it recently because sniffers don't exactly want to make their listening known. I did hear about the NSA listening in on every email sent through the United States, however. Surely nobody else would have the money to be able to do something like that.

Well, maybe an oil country, or an oil company.

Re:Don't over think this

I would be more concerned about making sure that the HR folks and the consultant cleaned up their work files afterword. This sounds like a job for... DRM!!!

Seriously, it'd be nice to be able to put a timestamp on how long the file can be active for and on what MAC address / ip address the file can be viewed on.

This won't solve all of the security issues presented by aloof HR and consultants, however it could lessen the risk of a break in confidentiality.

Re:Don't over think this

[Beryllium+Sphere(tm)]

>When was the last time , or the first time, you heard of someone sniffing sensitive data in mid transmission?

TJX. It escalated to a compromise of the servers but started off with wi-fi eavesdropping.

The Wall of Sheep at DefCon.

Hannaford's breach, according to their CEO, was compromised "during transmission of card authorization".

>You are at much higher risk for either your HR department or the consultant doing something stupid with the source or result files on their network.

Which is your actual point, and is true and important.

Re:Don't over think this

[Alpha830RulZ]

I agree, I wouldn't send anything out over unencrypted wireless, but I'm still skeptical on the rabid concern on over the internet transmission. In the subjects you cite, none of them were sniffing packets on the public net. The wall of shame is just people setting up unencrypted wireless points, and Hannaford's problem was that somebody had smurfed the point of sale servers or terminals. FTA:

Hannaford disclosed in mid-March that unknown intruders had planted malicious software on the point-of-sale systems at some 294 stores. That malware let the attackers capture card numbers and expiration dates as the data was en route from the point-of-sale terminals to authorize transactions from shoppers.

But I suspect that we violently agree that the usual, easy, points of attack are in the endpoints. I guess I'd include the local wireless link in that grouping.

I see companies going to ridiculous lengths on endless policies and procedures, while tripping over themselves on obvious execution. I work with banks and other financial institutions. I came across an SFTP server recently that was configured so that every user could cd up out of their directory and see other users' directories. They couldn't navigate into those directories, so, everything is safe, right? Well, the user I was working with, it turned out, had the password for his account sent to the same value as the username. This was assigned by the central user administration team, in a fortune 500 company. I did a quick test, and, sho' nuff, other users had the password the same as the username as well. (note: we got them to fix that, pronto) In the same company, their double secret access control system has a max password length of 8 characters, [A-Z0-9]. That's right, no lower case. This is used to control access to PCI systems. They have a max failed attempt lockout policy, but it wasn't turned on on the system we were working on.

I like Bruce Schneier's thinking on this: a few measures, well implemented, are superior to an endless array of measures that are sloppily managed.

Re:Don't over think this

You are so clueless. You must have never seen the wall of shame at defcon and how many federal agents are displayed on it.

Registered mail

[baomike]

continuous receipt chain beginning to end.

Re:Registered Mail

[Animats]

Yes. Burn a CD, and send it by Registered Mail ($4.30), with options Restricted Delivery ($4.30), Signature Confirmation ($2.20), and Return Receipt ($2.20). It's a classic USPS service, and it's not computerized much. There are several little forms and labels to fill out when you send this at a post office, and the recipient has to be personally and physically present to sign for the item when it is delivered.

For that reason, it's useful when sending something important. The recipient has to sign for the item, the USPS checks their ID, and you get that physical signature card back. Which means that if there's a leak, it's easy to prove in court that they got it and nobody else did. It also gets across the idea that if anything funny happens, they won't have any excuses.

Re:Registered Mail

[Linker3000]

..and have a look at Axcrypt for data that's to be sent via CD/DVD (or emailed) - very easy to use to create encrypted, self-extracting (if you know the key) files.

http://www.axantum.com/AxCrypt/ ...and it's Open Source

Re:Registered Mail

[john.r.strohm]

The key is that it isn't just the recipient who signs for the Registered Mail piece.

EVERY SINGLE PERSON WHO HANDLES IT signs for it, STARTING with the front desk clerk who accepted it from you.

Registered Mail NEVER gets tossed into a hopper or a basket, to sit unattended. It is ALWAYS either in someone's hands, and that someone has signed for it, or it is in a LOCKED storage container, and the storage container inventory sheet shows that it is in there. All of those signatures on transfer paperwork go to a centralized audit trail.

With a Registered Mail number, the piece can be traced, from the clerk who first accepted it, all the way through to the recipient, and God help the clerk whose name is last on the trail if he doesn't have it in his hands, or it isn't in the container that claims to contain it.

I've used Registered Mail several times, for pieces that HAD to get where they were going, and I HAD to be able to prove they got there. You know your life is getting complicated when you find yourself having to use Registered Mail for something.

Secure in layers

[sthomas]

If you are required to transfer the data outside of your organization, then there are two areas of concern - confidentiality of the data in transit, and confidentiality of the data once it arrives and is in the consultant's control.

Data in transit:
Encrypting the data prior to transfer is highly recommended, so that when it arrives it is in a secured package, and it also reduces risk should an email be misaddressed or forwarded to an unintended recipient. For this part PGP is an excellent tool. You can encrypt using exchanged keys, or you can encrypt using a strong passphrase and then communicate that passphrase out of band (phone call is preferable, separate email is workable but less preferable). For the method of transfer, securing the channel of communications is another added layer of security on top of encrypting the data ahead of time. If you are using an interactive transfer like (S)FTP, it will protect the authentication credentials from prying eyes. Although someone intercepting the PGP encrypted file now may not be able to decrypt it, tomorrow's technology may make the task trivial, so protecting it is recommended. TLS-encrypted email from organization to organization is also a good choice, but may be beyond the scope of your project. However, if this will be an ongoing need, or if your HR rep is also passing confidential content in email, it's definitely worth looking into.

Data Protection after Transit:
Once the person has received the file, your data will continue to be at risk. Each copy they make of the encrypted file is another file that could potentially be moved outside of a controlled environment. Once they decrypt the data, the risk to your organization climbs as they strip away another layer of protection. At this point the processes the consultant has in place are critical to protecting your data, and lack of processes or sloppy adherence puts your organization at risk. I often use users' Outlook Sent Items to show how easily copies of data files propagate. Anywhere they store the data, encrypted or not, may be released outside of their environment when they dispose of hard disks or tapes, or if they have them replaced because they are faulty. We empower users with tools, and those tools can increase risk in unexpected ways.

Remember the most important security rule - always protect in layers. Remind everyone to treat all data like it's their own banking information or cash money. Require your partners/vendors/consultants to meet or exceed all of your controls. Allow as few copies of data (encrypted or non-) as absolutely required for operational and preservation purposes. Continually remind everyone of the potential risk of data loss. Make sure users understand that there is no single security solution - encryption provides one layer of protection, but the best security is constant vigilance and treating your data like it's cash money.

I would recommend you have a serious discussion with your HR rep, starting out by saying "I just want to be sure you're aware of the risk here, and we are doing everything we can to protect our company and our employees." Then spell out the risks without exaggerating, and remind him/her that it's situations like this where bad decisions end up in the newspaper. The first decision is "do we have to move this data outside of our organization?" and it should only be done if it's absolutely required. If it is, then layering security and requiring that your vendor/contractor treat it with the right level of sensitivity are all that you can do.

Re:Secure in layers

[MoOsEb0y]

Have courier one place encrypted volume on disk media, held in the locker of a train station. Courier two will pick it up later after being chased by men in black suits wearing sunglasses. One time key exchange should take place using steganography in various national newspaper headlines over a period of weeks.

PGP Universal Server or Tumbleweed

[shumacher]

We wrestled with using GPG/PGP/X.509 and things like AES encrypted zip files for a while. No matter what, we couldn't trust:

• That local users would create decent passwords
• That remote users would be able to understand how to decrypt/open the documents
• That users wouldn't send the password in the same email as the encrypted file

The found marginal success with Office document encryption, but ultimately, things were nearly impossible to audit when people were doing their own encryption.
We put a PGP Universal server with web messenger between our internal mailserver and our SMTP gateway, and set policies on what does and doesn't get secured. Aside from the occasional external user who is baffled by the concept of creating a passphrase, the server has been trouble-free. If you have to deal with arbitrary external mail recipients with unknown levels of clue, I highly recommend picking either PGP Universal or Tumbleweed.

Re:PGP Universal Server or Tumbleweed

Hmm. Well one way would be to encode the data to a RAM chip with battery backup, and a PIC which requires the correct code before a time deadline or upon (insert number of bad codes here) it interrupts the power to the RAM. Upon correct code it then enables the feedthrough for the data lines and the data can be read back.

Whole thing is encased in unmillable ceramic-filled epoxy resin backed with metal just to make sure. :)

-A

HTTPS w/ automatic encryption at rest

[xxxJonBoyxxx]

HTTPS w/ automatic encryption at rest: that's what I get in my "MOVEit DMZ" secure file transfer system. My occasional consultant uses the web browser of his/her choice, I can force them to use a cert to authenticate if I don't think a password will do and I don't have to mess with PGP or SMIME key management. (http://www.standardnetworks.com/moveit)

The first thing I'd do...

is post my requirements to a web site frequented by hackers. That way, they'd be able to get started tracking me down and be completely prepared to intercept and decode my sensitive data.

Re:Public key is to complicated for a simple one-s

[gmpassos]

The right way to delivery a symmetric keys is using asymmetric key, like RSA. Where no hand delivery is needed and is very secure.

Re:Public key is to complicated for a simple one-s

[Zentrus]

But you wouldn't have to distribute your private key. As long as you explain to the consultant that private keys are meant to be private, and you distribute the public key to the public, you should be pretty safe. The headache of public key encryption in this case is that it might take the consultant a bit of time to understand that before you can send the encrypted data to the target, he must obtain the target's public key. The target should be safe with public key... if someone sends them data signed with the wrong/malicious key, the target's private key simply won't decrypt it. So the source needs to be sure that they obtained the target's public key securely--either by having it signed by a trusted authority or distributed in a trusted way (physical delivery usually).

my pick

[DragonTHC]

encrypted thumb drive.

use truecrypt and create an encrypted file on a thumb drive. then if it gets lost, no one can retrieve it.

Re:my pick

[Tim+C]

I'd go with CD or DVD personally. They're much easier (and cheaper) to comprehensively destroy once finished with. We even have a CD (and floppy) shredder at work; quite good fun to use.

w00t

scp ftw.

A secure way

It always depend on how much you value security. The most secure way of transmitting big data that I've ever seen was to send a crypted CD by mail and send the password by phone or e-mail (can't remember which it was). It may be an overkill in your case...

What NOT to do...

[cjb658]

Send a CSS encrypted iso of the data on a WEP encrypted wireless network that requires HDCP to display on her monitor with a signature generated by LM hashes from an unpatched, unfirewalled Windows 98 box.

Certified Mail

[acherrington]

Certified Mail is really the way to go on this if you can't email it. Pop it onto a CD, then put it into package. Seal the package with a way you know if its been tampered with or not. Then request a delivery receipt. You will have a record of transmittal, to whom, when, delivery, and confirmation.

Re:Certified Mail

[john.r.strohm]

Certified Mail is not reliable. It can get lost. It can go astray. It is not traceable.

IF it actually arrives at its destination, the return card comes back by normal mail handling. The return card can get lost. It can go astray. It is no more traceable than the original package was.

Use Registered Mail if you actually care whether the package gets there.

Carrier pigeon.

[jpellino]

Even if you intercept the pigeon, you'll never be able to find the sender or receiver.

All you'll have is some unattributable data and a nice lunch.

OK I just know this sort of method will get mashed-up with PGP and be an FOSS project complete with a really cool pigeon icon inside of a year.

Blast. Should have called an IP lawyer.

Re:Carrier pigeon.

Search the RFC archives. There are already two RFCs on transmitting IP via Avian Carriers. There was also at least one project that implemented one of the RFCs.

Re:Carrier pigeon.

[Cyko_01]

OK I just know this sort of method will get mashed-up with PGP and be an FOSS project complete with a really cool pigeon icon inside of a year. to late http://www.pidgin.im/

I agree - start by finding a new consultant!

[arete]

I agree completely - getting the files TO the consultant securely is relatively easy... a GPGP key exchange followed by a phone call can pretty simply ensure who they are as well as anything. (I mean, as well as you know who the company is now - it's whoever answers their phone number.)

But then they HAVE the data, and if you care about your data, that's a problem.

In a perfect world, I would start by finding a new consultant - one who wouldn't even consider RECEIVING such data through email. I suppose in a PERFECT world, there wouldn't BE such consultants.

But failing that you need to lay out every security policy you think is important to secure your data, including INSIDE a network... firewalls, care with files, background checks on IT staff, background checks on the consultants. You need this laid out in excruciating detail. And you need it in the contract with them.

Ideally YOUR company needs to do the background checks on their staff... At a minimum you need to do a really sound credit check of them and have your attorney draw up a contract where they indemnify you for any loss due to a breach and any attorney fees to defend against and to recover from it. Etc.

Basically the same kind of due diligence you'd have for someone you were letting come in and install new servers and new firewalls on your site with access to everything you've already got. Or if they refuse to get up to a reasonable standard, you can tell them they need to do their work on your site.

Re:I agree - start by finding a new consultant!

[Jason+Earl]

Email is a perfectly acceptable medium for exchanging encrypted messages. That's the beauty of public key encryption. Once the message is encrypted only the intended recipient can decrypt it. Even if the attacker has the message without the private key and the password that unlocks it the information is basically useless.

Yes, you could be truly paranoid and start worrying about the actual strength of pubic key encryption, but if the criminals had access to that sort of technology they'd have bigger fish to fry.

So don't blame email as a delivery system. Delivering the message securely isn't the problem.

The real problem, as you point out isn't getting the data to the consultant. It is trusting the consultant to be careful with the data once he has it in his possession. The fact of the matter is that no amount of firewalls or encryption is going to protect you from a dishonest employee or consultant. Heck, with the right training quite a bit of information can simply be memorized by the dishonest individual.

Having the consultant (or employee) directly under your thumb probably does help. That's why using email to send the data offsite is a bad idea. Attackers aren't going to get anything from an encrypted message, but being able to monitor what your employees do with important information is facilitated by forcing them to come to you.

Re:I agree - start by finding a new consultant!

[jc42]

In a perfect world, I would start by finding a new consultant - one who wouldn't even consider RECEIVING such data through email. I suppose in a PERFECT world, there wouldn't BE such consultants.

And such comments from a manager would be good grounds for not accepting a job. There are no security problems in email that aren't present in every other kind of file transfer. Email is in fact nothing but another kind of file transfer, so the security problems are exactly the same as with any other file transfer package. If your management thinks differently, you have some serious security problems in your management.

There are reasonable objections to sending data via email. One is that a lot of email software only correctly transfers 7-bit ASCII data. And it's common to have line-length restrictions, typically 80 bytes (aka "punch-card mentality"), with newlines inserted in longer lines. Tabs can turn into spaces and vice-versa (totally destroying your code written in the Whitespace language ;-). So to transfer arbitrary data via email without damage, you have to encode it with a tool like base64 or quoted-printable encoding. But none of these problems are security issues; they just increase the byte count and require more human time to ensure correct delivery via crappy email software. OTOH, the added email headers can be useful for documentation ("CYA") purposes.

The real objection to email is that there are packages such as sftp that do encryption and file transfer as a single operation (from the user's viewpoint), saving a lot of human time and hassle. This minimizes the chances for a screwup by failure to encrypt the data properly.

I've worked in groups that had to resort to email when the net admins imposed rules that made it too difficult to get the required data delivered. We grumbled because of the hassle, but it worked, and didn't add any new security problems.

It's not all that hard to encrypt an email message. Yes, there are different encryption packages, some better than others. But that's orthogonal to the file-transfer protocol used. And email is just one of many ways to get the bits delivered, clumsy perhaps, but usable when simpler tools fail.

RFC 2549

Send the data by homing pigeon:

http://tools.ietf.org/html/rfc2549

Use Keanu Reeves.

He has the ability to hold data in his head. They even made a documentary about him called Johnny Mnemonic.

Why not 7Zip

Why not throw it in an encrypted 7zip self extractor file and deliver it to her by FTP or even email? It will give you 256 bit AES the only worry would be someone attempting to brute force it.

Red flag.

[PeanutButterBreath]

If this consultant asked for this data to be sent via email in the first place, that is a big red flag to me. It suggests a pretty lax attitude towards sensitive data, possibly an indication of general cluelessness/laziness/hubris.

Frankly, I would be a little suspicious of any person who wanted to take custody of this information at all if test data can be used instead. I would never take on that kind of liability if I didn't absolutely have to.

In an environment where neither HR nor their contractor seem to have a clue, I would enumerate my concerns (in writing) and insist that they make the call (in writing). Too many weak links in this chain.

Re:Red flag.

[bugg]

Public key cryptography solved the key exchange problem years ago. Why send keys in the mail?

Re:Red flag.

[SanityInAnarchy]

Just so long as you at least verify fingerprints via the phone. Fingerprints aren't any more secret than the public key, but at least on the phone, a MITM insertion attack is much more difficult -- they would sound different.

Re:Red flag.

[Kijori]

You still have to get their public key - if someone is intercepting mail they can man-in-the-middle this without much more difficulty than intercepting passwords. Public key makes the problem less serious but it still exists.

Re:Red flag.

totally - they shouldn't be letting this data off the premises The weak link is going to be after the data is received and decrypted.

Re:Red flag.

[jc42]

Frankly, I would be a little suspicious of any person who wanted to take custody of this information at all if test data can be used instead. I would never take on that kind of liability if I didn't absolutely have to.

Well, I can understand why you'd say this, and I usually want to do the major part of debugging with test data. But eventually, you need to do debug runs with real data. The reason is simple.

Experience from a hundred or so jobs over several decades tells me that software always fails on its first real data. This is because the test data was generated by a program that follows the published spec. But the real data is never, ever correctly formatted. It's always generated by a flock of programs written by different people at different points in the revision process, and is rarely rewritten to match changes in the spec. Or it's types by human hands, and is in all sorts of bizarre non-standard forms. And lots of jobs don't even have published specs for the data formats.

So you can get close with test data. But then you need samples of real data, from many sources, so you can learn about all the weird things that are in the data that you'd never have guessed from reading the spec.

And it's always a good idea to repeatedly insist that you need some real data. Change the spelling of names; randomize things like SSNs, maybe. But don't change anything else. Because your software will stumble on the its first "real" input data, and you really want to know about such problems before the official release happens.

I've even had a few cases where my bosses told me explicitly to not implement parts of a published data spec, because those parts "won't be used". The test data didn't use those parts, but in every case, the first real data used the parts that I'd been ordered to ignore and not implement. In my experience, this is what you should expect.

Using only test data is a serious mistake, and you'll take the blame for your poor software if you haven't openly demanded "real" data throughout the development process.

secure delivery is trivial unlike keeping it safe

NeverVotedBush and Orange Crush are correct: getting it there is securely relatively easy, and the real problem is the HR Director considering sending this data offsite without having thought through the matter. Put your objection in writing, not to the sending of the data per se, but to the completely unknown security environment that DIr HR wants to entrust with your company data. Attach printouts of a few big employee data breaches (http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP ) and then distribute to your management team.

Physical transport

In the hands of a bonded, insured, courier, into the hands of someone under a very draconian contract that spells out in a very big way what will happen to them if even a single record is leaked.

Seriously, this is not something you want to ever push across a network that has untrusted eyes anywhere, no matter what your encryption policy. Heck, you need to keep your own employees away from it even on the local network.

If the contractor is going to be putting it into new software that will run at your site, you need to bring the contractor into your facility to put the data in directly.

If the contractor is still developing the software, then the contractor doesn't get a single row of real data.

If the software runs somewhere else, you had better make sure that all appropriate measures are in place to safeguard the data, and you had better be REALLY sure that this offsite solution is the best option.

Once you let even a teeny tiny bit of this data out where someone can take it, you're in for a world of hurt.

my thoughts...

[LoganDzwon]

One thing to keep in mind here is you are designing a system for a non technical person. PGP is a pain in the ass for anyone nontechnical to use. https is also going to create a every annyoing system for this HR person. You could properly set-up your e-mail server to require SSL with vaild 3rd party certs to send/receive mail and EVERYTHING to and from your mail server and clients will be SSL encrypted. Then make her an e-mail account on your system like cc-luser (if her name is Local User and she is a contractor.) Require only this e-mail be used to confer between her and the company. She is obviously used to using e-mail for this work, (and really it makes sense for this kind of information,) so this solution will minably impact her. I do agree you should try conver with HR and legal if possible to put it into her contract is libable for any damnaged resulting her failure to keep the information secure.

Registered Mail

[john.r.strohm]

I'd send it on CDs, by Registered Mail, the same way defense contractors and government agencies send classified stuff, for the same reasons.

Yes, Registered Mail costs more. It is worth it. Registered Mail *EXISTS* for the sole purpose of shipping high-value items that MUST NOT GET LOST OR STOLEN. That is precisely what you have here.

And for those of you in the peanut gallery: Yes, I have done Registered Mail. Several times. It is a pain in the ass. The Postal Service thinks it is a pain in the ass, and will try really hard to talk you out of it. I usually have to say "Registered Mail" two or three times before they figure out that I really do know what I want. I have had Postal Service clerks ask if I knew the difference between Registered and Certified. They were always very disappointed when they discovered that I *DID* know the difference, could explain it to them, and wasn't about to back down.

If you are really paranoid, you send two packages, both by Registered Mail. One contains encrypted CDs. The other contains the decryption key. Or you split the data into two packages, that must be combined in a nonobvious way to reconstitute the data.

But the KEY to the transfer is Registered Mail.

It doesn't matter, you've already lost

[Jerf]

If the consultant really expected you to email the data, and expressed even a modicum of surprise that you wouldn't do it, they've already disqualified themselves from being able to securely handle your data.

Do you really think that this is the only flaw in their handling of sensitive data? That, otherwise, they are security conscious and careful, except for this odd flaw where they don't understand how insecure email is?

If you care, it's time to change consultants.

If you don't care, just email it already.

(I'm actually not quite as rigid as this may sound out-of-context. I don't agree that security is all-or-nothing, so please don't strawman me that way. My second paragraph is important; anyone who expects those things emailed to them is so far away from the necessary knowledge and skills that debating whether they are close enough or whether they will be able to take reasonable care is a waste of time, arguing about whether the receiver made a touchdown when they got tackled on the 10 yard line on the wrong side of the field.)

Re:It doesn't matter, you've already lost

finally a sensible answer to this.

it sounds like the consultant does not understand the sensitivity of the information they are handling..so even if they get this data in a secure format, they will just decrypt it, and store it on their desktop for easy access. then may, or may not delete it after the contract is complete.

Re:It doesn't matter, you've already lost

I hate to jump in on people - I rarely do it. BUT I want to make defense about something that, in my mind, is being overlooked and is causing this whole mess to be blown way out of proportion.

To get started, I'd bet if you answer these questions (with good defensible answers), you will come to the same conclusion as me.

What is the value of the data?

Who are the threat agents that will attempt contact with the data while it is being emailed?

What is the probability that they will have contact with the sensitive data?

What is the probability that their contact will result in action?

What is the ability to resist, or lessen the severity of the loss if it is stolen?

What is the amount of loss that will occur?

It seems to me that the chances of a loss event are impossibly low (like worse than royal-flush chances) and that even if a loss event occurs, the severity of the loss is very low as well. It seems that the most logical answer is that they email the data.

If you answer those questions and disagree with me, please cough up some defense. This could be a big deal if publicized; it could have impact against the "secure email" product space, right?

To qualify myself, I have been a security professional for 10+ years, a CISSP for 8 years, and I am an information risk executive for a top 10 U.S. financial institution. (And I'll happily provide proof upon request).

Re:It doesn't matter, you've already lost

[Rhys]

What he said. And I'd add to it, if you do email it to them in any form to make sure that you've covered your own ass. Have your boss email you telling you to do it, and get a hardcopy of that mail signed by your boss.

They'll still fire you anyway, but at least this way you've got a stronger case if they start talking lawyers.

VPN and IPSec

[Defector!!!]

Why not just establish a VPN with them and either secure FTP it or use IPSec? This honestly doesn't seem that hard, especially if you're sending a few gigs of data....

Email Storage

[Geekbot]

Don't forget that you may be working with a company that may be required to, or will at any rate, backup their email securely and store it for a long period of time. The same might be true of any data on the network. Then you are dealing with a situation where your data must not only be secured during this stage, but where you must trust the contractor to secure your data for years. What would happen if that information was compromised after the company folds up?

Any situation where your information is held by another party could involve risks to your company. These risks could endure for years, even after the other party has closed up and no longer able to insure the data themselves, potentially leaving all liability with your company with no recourse.

Example: Contractor closes shop in 4 years. Backup tapes are abandoned with no IT on staff to take ownership. Backup tapes are looted by hooligans. Hooligans use credit information of your employees to assume their identities and rack up bills in their names. Depending on the size of your company, 100's of employees decide to file suit against their employer over the reckless loss of their data. Your company has no one to put the burden on because the contractor is now out of business.

One Word

[Jon.Laslow]

Sneakernet.

Emailed?

[e-scetic]

If I was that consultant my first question would have been how to transfer that data securely - but maybe that's because I know what I'm doing. Therefore, I'd be totally allergic to giving that data to this consultant, regardless of any non-disclosure agreement.

What to do

[hejish]

First, your company must have a policy. SSN's are sensitive data. Second, your company must have a contract with any folks not working for your company requiring that this data be protected in a manner compliant with your company policies. Third, the recommendation to have the consultant work on site or work with the data on site is appropriate. Requiring that the data NOT leave your site sounds very reasonable. If they are remote use 2-factor authentication to get into such sensitive data and administration of systems.

Re:What to do

[Overkill+Nbuta]

Theres one simple solution to all this Carrier pigeons.

Flash drives are light enough to attach one to there legs. BAM Secure data transfer. The FBI cant wiretap when there are no wires!

You could say this method has no strings attached. Worst thing that can happen is a stray hawk. But this can be avoided with the attachment of lasers to the pigeons. Secure as it can get.

Fermilab anonymous-letter style

[Ripit]

Frank Shoemaker would call it noise, though.

Comment removed

[account_deleted]

Comment removed based on user account deletion

NOT

NOT

0Courier

The answers are far more interesting than the

[obarthelemy]

question. That's why I love /.

broad categories:
- spy jokes
- how to securely transfer files
- transfer is not the issue, safety at the other site is
- cover your ass

- safety at your site is probably an issue too, if plain email was the suggested method of transfer

Depending on the company, I would or would not, as a tech guy, broaden the question to points 3+ . Nobody likes a troublemaker/whistleblower. Mention at the coffee machine to the one giving the orders that data security issues during the transfer are by far not the only ones. If you have to, cover your ass in an email, not talking about your reservations but about doing the transfer as requested, and keep any emails on that subject.

Follow up a couple of weeks later with info on data security, and try to get the ball rolling from there, if you can get people motivated about the subject.

S/MIME

[StormyMonday]

S/MIME is built into every modern e-mail client that I'm aware of. Microsoft Exchange Server has cert-generating features built in, or you can use OpenSSH. You can roll your own certs with no problem except for the mail program yammering about "unknown root CA". All the hoohah of "PKI" is only needed if you can't verify key fingerprints over the phone, or by some other out- of- band communication.

PGP/Gnupg works just fine, but it's a pain in the butt. Putting your data on a CD-R or USB memory stick (encrypted, please!) and hand- carrying it works, and will probably generate the least stomach acid.

BTW, if you can't trust your consultant to handle your data with security that's adequate (in *your* opinion, not theirs), get a new consultant (speaking as a consultant.)

Re:Public key is to complicated for a simple one-s

[pyite]

The right way to delivery a symmetric keys is using asymmetric key, like RSA. Where no hand delivery is needed and is very secure.

Uh, only if you have public key infrastructure (i.e. pre-trusted authorities). I can generate shared secrets all day long with Diffie Hellman, but it really only helps me if I know that the recipient is not a man in the middle.

RFC1149

[ewe2]

Although the potential man-in-the-middle attack is a problem, this was used with great success in WW2 with normal messages - even the losses from German anti-pigeon falcons were minimized!

United States Postal Service

Certified letter through the USPS? It's the government what could go wrong?

Re:You mean like rsync?

Physical media is not a good idea because it's obsolete by the time it gets there.

Say what?

They should use a secure access to your system

They do the work, but why on their hardware, which you cannot trust. It must be on your production hardware, your secure data center, your password control, etc.

All data should stay inside your firewall. The system either has remote access or you can do a citrix thing, with a RSA secure id second key.

Easy Solution

[dark_15]

I like the idea of FTP over a site-to-site VPN the best. The VPN is created on the network side so you don't have to deal with PGP configuration on the client side, and you can restrict which hosts are allowed to access the server. By not exposing to outside your network you reduce the risk of brute force attacks. Note that FTP only works if this system uses a flat file (csv, xls, pdf, etc.) to store data/reporting.

The same idea applies to a database - send the traffic over a site-to-site VPN. Allow only the ports necessary to travel across the VPN (tcp 1433 on MSSQL, for instance), and set up restrictive accounts to allow them to query the database. Regardless, VPN is going to be your best (and safest) bet.

Encrypt and split the data

[davidwr]

Encrypt the data in such a way that losing a small bit renders the whole unrecoverable except by brute-force.

Then split the encrypted file into 2 parts. You now have 3 pieces of information that can be transmitted over different channels: Parts 1 and 2 of the file, and the password.

Using a one-time pad is even better but then you have 2x as much data to transmit.

Oh, hand-delivery and non-disclosure agreements as mentioned above help a lot also. Also, if you don't use an encryption method that doubles as a signing method, sign the data to make it tamper-evident.

sneakernet

[zish]

Individually uuencode each of your sensitive files, then zip-span them across multiple floppies. Place these floppies in a diplomatic pouch, and give it to Janine D .Hellmann (who is really Sydney Bristo in disguise). She then swaps the package for a replica. The real package is deposited on a cafe table in Barcelona (but it's really a set in Los Angeles. That's masking), where another agent picks it up. This agent proceeds directly to a safe house (incidently in one of Ben Affleck's mansions, but you're not supposed to know that). That's double-blind. YOU don't even know what your data is! Noe does your recipient!).

Ummm.. On second thought, just use GPG or Thawte Freemail, or one of the other myriad free mail signing and encryption services out there).

Secure FTP and PGP

[carlzum]

I deal with a lot of healthcare data as part of my job. We use secure FTP for all transactions and PGP encrypt all of our files. We instruct external groups to decrypt the files to a secure location on a secure machine. There's no guarantee the application or desktop user downloading the file is on a secure system. Encrypting the file prevents someone from accidentally leaving the file on a laptop or network folder.

I see a lot posts suggesting you mail or hand-deliver the files on disk. In my experience more data is leaked through lost mail and courier mistakes than by hackers.

Re:Secure FTP and PGP

[VendettaMF]

No-one but the idiots suggested mailing it.

Sure, half assed "couriering" loses stuff, but that's because it's not couriering. FedEx is not a courier company. It's a private mail company.

Couriering means that one person takes responsibility for the parcel/message and remains with it until it reaches it's destination. Preferably physically bonded to it.

Basically, if you know who has it, and you know where their family lives, then it's couriering.

Hand deliver it.

[barry99705]

Copy it to a truecrypted thumb drive then personally hand deliver the drive to the consultant's computer. No one but you has the password. You input the key on the new computer.

One word

Semaphore

Old Grouch Here (Or maybe Old Farte)

[beadfulthings]

I wouldn't send it to her at all. I'd take it to the consultants and stick around while it's being used, or have them come to my facility to use it under my control and conforming to my policies and procedures. You can use the most ultra-secure encryption you want, and you've got no clue as to what's going to happen as soon as the data gets to the other side. The first rule of security has always been "install a good lock on the door to the computer room." The other platitude that applies here is "good fences make good neighbors." Or in other words, if the consultants don't like your security, you probably need new consultants. The idea of taking the data away from the premises, loading it into a brand-new package, and then bringing the whole thing back inside just gives me the heebie-jeebies. Your HR people need you to tell them this. That's why they're doing HR and you're doing IT.

By hand

[MadnessASAP]

Double encrypt the data with two 2048 bit keys placed on 2 separate CDs carried by 2 different people on 2 different flights then have a 3rd person carry a CD with the encrypted data on a 3rd flight. For even better protection ensure that the 3 people do now know each other or the nature of the data they are carrying. Of course it may not be the most practical solution but if latency is not a factor it's going to take a very dedicated criminal/idiot to steal/leak this data.

hard copy method

Someone mentioned above, burning it to cd. I've used this method in a simliar situation, where there were a whole number of issues I'm not going to go into here. In the end it was a bit of a "f$%& it" momment, just encrypt files, burn it to DVD. Get it couriered by a reputable service. It was simpler than clowning around with transfers.

It may take a while to get to the destination, but never under estimate the bandwidth of a small box full of DVDs in a truck.

If it's encrypted to all hell even if the DVD were to be lost or fall into the wrong hands it's just a useless piece of polycarbonate.

Don't send it to a consultant who would ask ....

[CFD339]

...by email.

This consultant wanted you to send it to them? I've been a consultant and developer for nearly 20 years. I would NEVER EVER ask for data like that to be sent to me. I wouldn't want to be anywhere near owning that kind of responsibility for someone else's critical data. You couldn't make me take it if you tried.

Your biggest problem, as pointed out by others, isn't the in-transit data but rather what it does once the consultant gets it. If he's so unaware of modern security best practices as to ask you to send it to him, it's fairly a sure bet that his environment and practices are no where near good enough.

old fashioned technique

[belmolis]

There is an ancient technique that might be applicable here. You shave the skull of a slave and tattoo the data onto his scalp. Wait for the hair to grow back, then send the slave to the destination, where the skull will again be shaved. If further security is needed, you can encrypt the data before tattooing it on the scalp, and you can sedate the slave so that he doesn't know what you've done. This technique may not be legal in some jurisdictions.

Fips, PGP, etc, etc, etc,

[mkettler]

First, there's lots of existing standards out here.

What does the US government use (or is supposed to use) to protect information like this for its own employees? Fips- 40-2 certified encryption products (which generally are FIPS 197 AES based, but FIPS 140-2 certification involves other tests). That's certainly one good standard to go by. (see note 1 at end though about keys)

Obviously many have mentioned PGP/GPG, A very solid option. Selected versions of PGP are also FIPS 140-2 certified (re-certifying every version can be expensive.), and this option has very good public key handling.

Many have pointed out various SSL based systems, https, ftp with SSL, etc. Also very solid, although it only handles the data while in-transit. Make sure it lands on a well trusted server. (ie: securing in transport doesn't help if the destination server gets hacked)

If you want to broaden out to other tools, in general, I'd stick with some basic rules:

1) must use at least 1024 bit public keys for key exchange, or at least 32 character passwords transfered by some other secure means (which is hard, so go public key). Good encryption won't help you if it's just passworded with an 8-character password of all lower-case letters (that's only 38-bits of key entropy, even if they're random).

2) must have at least a 128 bit key for the symmetric cypher.

3) Symmetric side encryption must be based on a reasonably secure cipher. AES, 3des, RC5, RC4 (careful of buggy implementations, ie: WEP), Twofish, Blowfish, square, CAST all have withstood a reasonable amount of attack without truly glaring weaknesses that radically reduce their real-world security. XORing with a 256-bit value has not.

4) Must use a cryptographic has function (MD5, SHA1, SHA2, etc) for message integrity. CRCs are only designed to detect errors in transmission, not malicious modifications in transit.

5) ideally should use public keys to establish the authenticity of the sender, but in this application that might not be necessary. You're more concerned about intercept than complete substitution of the file by a different sender.

VPN

[Super+Jamie]

Setup a VPN between your two companies, your network guys should be able to setup a secure IPsec or PPTP tunnel.

Only allow traffic from a certain range or IP to a certain range or IP, over specific ports. Deny everything else.

This covers your ass from your company seeing theirs, and their company seeing yours, whilst still allowing access to the data, and only the data.

Rather than setup SCP over SSH or SFTP, which require learning of a new sort of client software, setup an authenticated HTTPS front end to the data - I'd assume everyone knows how to use a webpage, and save a file to the appropriate location - this encrypts the traffic (and password required to unlock it) whilst reducing end-user learning curve.

Getting it There is not the Challenge

[banished]

Many have already mentioned adequately secure means to deliver the data. The policies of the receiving company is probably out of your control, but at the very least all personally identifiable information (PII), such as what you are talking about, is mandated by the Privacy Act (and subsequent) to be controlled and protected almost to the same extreme as HIIPA. I would mark any PII I send outside the company with, "This data is controlled by the Privacy Act. Unauthorized use or release is prohibited," disclaimer statement at a bare minimum. Your legal division (if you have one) would likely have a hissy fit if they discovered PII was leaving the company without such a statement. If you don't have a legal department, then there's plenty of web resources on PII. Even if you can't come up with legalistic wording, these days no one has legitimate claim to the, "But, I didn't know," excuse when it comes to the federal PII protection requirements. In the military, all e-mails containing PII must be encrypted using smart cards. http://en.wikipedia.org/wiki/Personally_identifiable_information

Proverb

[Throll]

Why move the data to the consultant, when you can move the consultant to the data?

It's a one-off event, not a repeated delivery..

[VendettaMF]

Screw the IT angle. There's no financial benefit, and negative security benefit to be gained by setting up some one-off secure virtual network for a one-off event.

The only sensible method for delivering this is encrypted on a dvd-r in a case chained to a security professional's wrist, accompanied by n+ armed escorts, where n is a factor of the public value of the data.

Never underestimate the bandwidth of a professional courier.

MY GOD!!!

[Jane+Q.+Public]

What overkill. People recommending multiple-step, even multiple-encryption, systems. And software that needs installing and configuring on both ends. And so on.

As long as the file gets there safely, you don't care what they do with it on the other end, right? (That is the most common scenario.)

So these people are trying to shoot ants with cannons. Massive overkill. REALLY all you need is scp, and unless you are running Windows, it is already built-in and needs little if any configuration. It's ready to fly.

You would be hard pressed to get better security during transmission, and when it gets to the other end it is in its original form. No messing with keys or pads, no UN-encryption, in fact nothing at all for them to do. Send it via scp and there it is. All you need is for them to give you a username and password, which is a hell of a lot simpler than some of those other ideas.

Re:MY GOD!!!

[timmarhy]

you wouldn't be to casual about it if someone used it to take loans out in your name and fuck you over. you'd be screaming about the lack of security then.

Re:MY GOD!!!

[Jane+Q.+Public]

What "lack of security"?

The file(s) are being sent via ssh. That is PLENTY secure. No matter whether it is otherwise encrypted, THEY can mishandle it all they want on the other end. You simply have no control over that.

If they want to implement more security on their end, so be it. Within reason, one must conform to what the customer wants. BUT... if the task is just to get the data from here to there SECURELY, without needing to concern yourself about what happens after (and that is a very common scenario), then scp is about as secure as AES, without the hassle.

Don't let the data leave your network...

[SeaSolder]

Why does the data ever need to leave your building / network in the first place? You can load up whatever software they need on a machine at your location, you can inspect it for security vulnerabilities, then you can move the data onto that machine, and they can manipulate it to their heart's content over the secure VPN connection. Data never leaves your place, you don't need to deal with surly postal workers, and your company never needs to worry about getting bad press for loosing millions of SSN's. Easy.

Don't

Why move the data to the consultant outside the firewall. Why not move the consultant inside. If you do not trust the consultant on a machine within your control why do you trust sending the information to them?

Many different methods / combination of Policy/Tec

[edlong]

The SD crowd has clearly expresses it's love of PGP, and I have lot's of love for it too. But from a business perspective this is a much larger question. From a tech side there are other products such as Microsoft Right's Manager and Adobe's Policy Server.
http://www.adobe.com/products/livecycle/rightsmanagement/
I'm not endorsing either of these products (so save the flame wars), but identifying that this market is much larger than PGP. There also add a lot of other features, like restricting printing, restricting how long a file can be accessed, multi-factor authentication etc.

As for sending the data that you mentioned (SS#, DOB etc) this is a fine marriage of technology AND company policy, along with state, local, federal and national laws. For example the EU laws are very strict about sending this information and you need to be familiar with each nations requirements. Additionally, sending sensitive data across borders is a concern. As an example, a client could NOT outsource certain HR functions because of these laws. And when overseas certain HR develoment was done a thorough cleansing of the data needed to happen before it was either accessed or sent out of country (e.g. removing SS#'s Dob etc.)

In a nutshell you need your business to define what the security policies are, then use technology to the best you can to implement the policies. This is critical for SOX compliance and legal ramifications. Having the policy is almost, if not more important than the implementation often.

Cheers.

I think I've met that consultant...

[grikdog]

Your data is not your data, to paraphrase some trite poetaster or other. SSN's belong to the individuals who own them, not you, not your consultant. I agree with others here -- the heebiejeebie potential is mind melting. Can you imagine the class-action lawsuit your company faces if that data winds up in a Russian (Chinese, Bolivian, etc.) stolen identity database? First rule of security: It's not. The egg was open when the yolk went in, and the egg is open when the chick comes out. The fox is patient. Actually, that's too glib. "Security" is provided by processes having nothing to do with technology. The locked door shattered has merely proven breaking-and-entering, which triggers a whole new level of punitive retribution: I.e., the penalty for burglary is higher than the penalty for trespass. Any member in good standing knows the value of belonging. You want your consultant's fingerprints, her posted bond, a sample of her DNA and a set of mugshots, plus a background check.

VPN

[Belial6]

Set up a system on site for the consultant. Give them a VPN connection to that system so they can remote access it, and have the data loaded on site. The consultant doesn't have to make an unnecessary costly drive, and you don't have to let your data leave the premises.

dont' let it leave the network.

[timmarhy]

give them a remote shell that's run via an ssh encrypted session (block the file transfer option). this way it's much harder to wholesale copy the data, or more likely, lose it and have it fall into the wrong hands.

it's not good sending it to them encrypted if they just decrypt it and store it themselfs in an insecure fashion.

You're screwed

The fact that the consultant's company doesn't already have a standard way of handling this should scare the crap out of you. This should have already been spelled out in the contract with the consultant.

Instead they've turned it back on you asking for your requirements. You will be held personally responsible when (not if) things go bad.

Really, you should only send them a dummy set for development. They shouldn't be dealing with real data until onsite testing later. There is no good reason to ship the a full, real dataset.

Re:Don't send it to a consultant who would ask ...

[avandesande]

I would just tell the consultant that they have to do it on-site and on my companies hardware.
It really isn't clear what the circumstances are behind hiring the person, perhaps a compromise like I illustrated would work.

Two aspects

[Lulu+of+the+Lotus-Ea]

There seem to be two different and orthogonal security concerns raised in the discussion. The one question actually asked is how to securely transmit the data to the consultant. For that, the correct answer is either GPG or SSH/SCP. Either of those insure that the channel itself cannot be intercepted.

The second question is whether the data is secure once the consultant has it. A corollary of this is whether it is *really* necessary to give the consultant data access. Perhaps the answer is "no", but I'm not privy to the internal issues that make "yes" at least a plausible answer. Once the data is in the consultants hands--no matter *how* it was transmitted--it's only as secure as the consultant keeps it. Whether it is an encrypted data channel like SSH, a hand-delivered medium, or whatever, if the consultant can decrypt it she could potentially expose it.

How will the data be sent back?

[scrib]

If you're sending data to a consultant for processing, how do you expect the consultant to return the finished product to you? You can be as paranoid as you want and totally ineffective if next week the consultant emails you an unencrypted MDB file.

The other replies make a lot of sense in pointing out that your security policy is only as strong as the consultant's weakest link. Can someone potentially sniff the email as it goes by? Sure. Is anyone actually watching? Probably not.

PGP or GPG keys sent via email are always vulnerable to "man in the middle" attacks unless you verify the fingerprints through other secure channels, etc and so forth. Is anyone taking the trouble to do that for access to your data? No. Seriously.

You could probably even get away with putting all the data into a single ZIP file, and then putting THAT single ZIP file into a password protected ZIP file. (If you have more than a few files in a password protected ZIP file, there are apps out there that can do some comparisons and crack them open in moments.) One file in a ZIP, with a strong password given over the phone, should keep out the nosy and all but the more educated hackers. The educated hacker already has access to your system after asking HR's password on a "support" call.

I'd agree with the masses - GPG. However, it is VITAL that the consultant knows to encrypt the data sent BACK or it is just a waste of time. Good luck!

too lazy to do key management ... used voltage

[zir0z]

I had a similar exercise that I went though a couple of years ago with a former employer (10k+ primarily non-technical user base, financial services company, approx 1mm outbound messages per day including automated processes, approx 30%+ contained sensitive info like acct numbers and SSNs that needed to be encrypted, and recipients were a mix of corp users and users that used free email accts as their primary address).

Email was pretty much the file transfer mechanism of choice for the business (for better or worse).

Major issues from my team (Info Sec):
1) how do we stay out of the key management business (anybody that has been to the key ring, PKI, certificate, etc. management barbecue knows what I am talking about here)
2) that we get all the mail off of our systems at the time of delivery (basically, in the wild world of e-discovery, we did not want to have to get into managing other company's 'sensitive emails')
3) no software required on the recipient's machine

I have used, tinkered with, been burned by, loved, and hated pretty much all the top players in this space... but based on our requirements and my personal motivation to just solve my email encryption problem and go back to my other work without needing to tie up resources to support users that were now using the implementation... I went with Voltage (http://www.voltage.com). It took two change control windows to get it into prod (one to test, and one to go live). For the sensitive email traffic that was not handled by gratuitous SSL/TLS (roughly 100k+ messages per day) we used Voltage at the gateway with users entering a key word in the subject line to encrypt. It took a little bit of training and some internal showing of dirty laundry, but users eventually caught on... and within about 3mos of implementation we were dealing with high 100s to low 1000s of user violations. We could have dropped the number to 0 by rigging our DLP product into the mix and forcing all remaining sensitive data flagged by our DLP solution to go through Voltage, but the business was happy with the drop in violations and did not want to do that.

In short, we dropped our plain text email violations from about 300k+ per day to about 1k per day, nobody had to do the key management dance, and no residual customer email was left in our environment. As a side note, Voltage also has a SAAS product that is completely managed by them that we referred our power recipients and business partners off to... once again, no work there for me or my team. ;) At the time that I left, we had the solution in play for 3 years and only had about a half a dozen support tickets opened on the solution - and basically, they were from users that did not read the web page they were looking at.

Hope this gives a decent data point for your issue.

FedEx.

FedEx - never underestimate the capacity or security of a truck full of floppydisks.

Sendside Networks

[pyite69]

http://www.sendsidenetworks.com/

They are like PayPal for documents. Secure, with tracking of who has read the documents. And the information doesn't leave their network.

Re:Sendside Networks

[pyite69]

It is free, and about as easy to sign up and use as Hotmail.

Deliver by Hand

[mahill]

The DoD allows classified information to be stored on AES-256 bit encrypted Kanguru flash drives. They come in at least 2 GB and 4 GB models. It would be best to take it over by hand on that if you really want secure.

Don't send it at all

[elronxenu]

You are about to send sensitive data to a third party who will load it into a new database and send you back the database. That's insane.

You need to bring the destination (the database) in-house. Either load the data yourself, or get the consultant to come in-house to load the data. Under no circumstances should the sensitive data travel outside your network boundary. It's not a question of "how strong is my encryption" at all.

AES 256

[Heembo]

WinZip with AES 256 encryption using a very strong password delivered via phone is sufficient in some situations.

Re:AES 256

WinZip with AES 256 encryption using a very strong password delivered via phone is sufficient in some situations. Personally I would trust 7-Zip more than a US commercial entity.

http://www.7-zip.org/

Fake it!

[random99]

Send real world data for a test? No Way! There are plenty of websites that will create any number of fake names, addresses, SSN, DOB, etc...and its free! You can even customize fields for your application.

Re:Fake it!

Yes! This is exactly correct. You should fake the data for the consultant. This will handle the initial development. Afterwards, you need to take 25% of the total database and scrub it (re-assign SSN to fake SSN, change people's names, change B-days and addresses) and send that to them. The reason for step 2 is to see if there are "data hygiene" issues.

The actual data migration should be done on-site.

Sneakernet

[Khyber]

It may take time but for moving huge amounts of bandwidth there's usually no better alternative, and you have much easier time keeping tabs on who's responsible for what.

protectoria

I would use Protectoria they provide a safe way to send sensitive information via e-mail without any initial setup

S/Mime

[jonoton]

Funnily enough I've been asked pretty much the same question.

Slightly different scenario, in this case it's payroll information being sent to the company that deals with the payments.

The "consultants" suggested emailing it, when I said that wasn't going to happen they suggested putting it on an ftp site. (What the hell are we paying them for?)

As the people involved at both ends are not IT people and are all on Windows PGP isn't really an option, but S/Mime is. It also gives the advantage that you can say - go buy an email certificate from this website (pointing them at verisign/globalsign/another-t-t-p) and let them worry about the authentication issue.

S/Mime is integrated into all the common MUA software these days, certainly anything they'll be using on windows, and it's really quite easy to use.

The downside of it is that the security of the system boils down to key management & users. Once you've told them it's ok to email this information how do you guarantee that it's been sent encrypted?

Damn it !

[stephanruby]

Don't be a dick. I know that's you. Email me the data already.

Not by email...

[Secret+Rabbit]

... I what people seem not to get/missed.

1) Strongly encrypt the data via your favourite method

2) Setup an Sftp with a user name/strong password for the consultant*

3) Send the user name/strong password to him/her via email (PGP/GPG)

4) Keep the login log in a very safe place, along with any other email exchange, keys, etc that show the transfer has occurred and by whom.

* If you want to have a even better "paper" trail, have them send you the IP of the host that they will be logging in from and limit access to just that host. Also have make sure that this IP is verifiable owned by the consultant firm. Keep the verification.

If all of the above is done, you have made sure that the login has been done through the only *one* IP allowed (owned by the consultant firm), through a login that only one person has. So, any fuck-ups are there's and there's alone.

But, if possible, I'd also require them to keep the data encrypted and only decrypted for use, preferable not to a HDD (ram disk). Not to mention any other mechanism that you can think of. Also make sure that the paper work requires any and all requirement to be applicable to any subcontractors as well as any of the subcontractors subcontractors, etc. Because, these consulting firms have a rather poor track record of keeping this data secure. And if they don't do it, and bad things happen, there is legal recourse on your part (as well as possibly the people who's data it is).

SneakerNet

Copy the data to a hard disk, carry the hard disk between sites.

Two words...

[fahrbot-bot]

Data Mule.

Dropbox is simple enough

[SethKinast]

I've been using Dropbox to move stuff between laboratories that needs to be updated by more than one party. It's all encrypted and stored server-side, and it's pretty much transparent to the end user since you just drop files into what looks like a normal folder. That eschews all the complexity of PGP or making FTP users, and is secure as long as physical access to the machines is locked down.

PGP yet again .. with some real world examples

[johnlcallaway]

I have worked for two different companies that sent ACH (EFT) type transactions worth tens of millions of dollars over the internet. We used an SSL HTTP web site for the transfers, and encrypted AND signed the packets with PGP keys. That way, when we got the packet, we could decrypt it AND verify the originator.

I'm sure if someone worked hard enough they could have broken it, but since the firewall would only allow connections from specific IPs, it would have been tough to inject data into the system.

This meant that the biggest threat wasn't someone stealing the raw data, but someone on the inside gaining access to the data after it was processed or was being processed and possibly in an unencrypted state. The DBA used some type of Oracle encryption to prevent someone gaining access to the database and being able to run SQL queries and return unencrypted data without some type of key (I don't know how it worked ... sorry.) And unencrypted data was never allowed in the DMZ. I'm not sure how long unencrypted data may have been on app servers or in memory, but I remember security and the developers having a lot of conversations about it.

So .. don't stop at just the transmission. Security has to be looked at from source to destination and archival.

bzip, split and send three ways, scp, email, pendr

[refactored]

1. write wee scriptie that splits a file 3 ways byte 1 to file 1 byte 2 to file 2 byte 3 to file 3 byte 4 to file 1 ....
2. write wee scriptie that merges them again.
3. email scriptie to consultant.
4. tar bzip2 the files.
5. cut out 4 bytes from the middle of the tar ball.
6. hex dump the 4 bytes and read them to him over the telephone.
7. split the cut down tarball three ways.
8. scp one to him, give him an https url for another, put the third on a usb pen and snail mail it.

   1. When he totally freaks out and starts screaming. Rename the file to GrowYourPenisNow.doc, spoof the From: header to be from hotmail.com, add a subject line V1agra and send.

      Nobody will ever bother to read it.

LL?

One might also consider putting both systems out of the Internet and connecting them via a LL. Usage of crypto is still required, however 0day bugs (i.e. Debian's OpenSSL lib) will present less of a threat.

how to send it

How to send confidential data like this? Archive to a large disk (DVD). Use more than one if necessary. Place DVD jewel case into briefcase. Handcuff briefcase to CIO. Cover handcuff so as not to arouse suspicion. Send CIO to destination. No hacking, no data loss, security problem, etc.

In lieu of new consultant, require data standards!

I do consulting with HIPAA requirements. Makes me a little nervous that only after you bring it up, THEN they ask about data security requirements, especially when they SHOULD know about the sensitivity of this data these days.

However, assuming that you can't do anything about it, here are the methods I have used, depending on the capabilities of the client:
1) standard FTP of PGP encrypted files
2) sftp/https using digital certificate authentication
3) e-mail of PGP enrypted attachments
4) enrypted private VPN tunnel (IPSec)

Where do I store this data? On a truecrypted volume, manually mounted if the system reboots (password NOT stored anywhere on the system). If my office gets broken into, they only have a useless disk of gibberish.

Don't send it

[deboli]

Don't move the data, move the consultant. Prepare a work space and ask the consultants to work in your office. As soon as data leaves your system you have no guarantee that it will not be passed on. Data transfer is the least of your problems.

Additional issue: Sending raw data out is easy (many ideas have been voiced in this forum) but how are you getting it back? Tables to import? Live link between your company and the consultants? Incremental? Is this a one-off or a continuing effort?

Regards, Oliver

/dev/null

Right in the bit bucket. Nobody needs MY info.

Secure connection to YOUR network

[Slotty]

You don't allow them to take it off site!

Secure VPN tunnel and some form of remote desktop if it's GUI based,or SSH in if it's terminal based.

In a world of highspeed connections and cheap hardware there's no excuse for anything to leave the confines of your network where you as the person in charge of security remain the person in charge of the security.

SFTP, PGP or bust

[StealthyRoid]

I agree with the few posts I've read that've recommended PGP, but there's an easier alternative if you don't want to go through the hassle of setting up PGP keys for non-technical users: SFTP. It runs over SSH, so you're as secure as you would be when logged into a shell, and it doesn't matter which one of you has which side of the connection (client/server, I mean). There are probably some auxiliary benefits to SFTP, like controlling at least one place where the document is stored (as opposed to having it sit on some random company's email server, even in encrypted form), but the ease of use is probably the main reason to use it.

I'd probably be persuaded that the overall benefit of spreading the use of encrypted and digitally signed email is greater than the effort put into explaining to Suzy Secretary how to install Enigmail.

NO! not PGP not SFTP.

[emj]

You are missing the point, the worst thing that happens to the data is when it arrives to the consultant. These kinds of databases are something everyone sees value in, and makeing a copy is trivial. (Even though the consultants laptop isn't on the network, and not plugged into power)

Make it very clear that this data can not be exposed. See some good posts:

http://ask.slashdot.org/comments.pl?sid=560624&cid=23500514
http://ask.slashdot.org/comments.pl?sid=560624&cid=23500510
http://ask.slashdot.org/comments.pl?sid=560624&cid=23500324

Re:NO! not PGP not SFTP.

[cybercat13]

Good point, however, the point needs to go further. Sensitive data should not be electronicaly transimitted without the approval of one management level higher than the requestor. Also, the request should include a signed MOA as to what the data is to be used for and how the data will be handled otherwise the sender of sensitive data can be held liable for the release of the data.

Simple, Could Be Expensive

[no1home]

Encrypt the file with PGP and put it into a TrueCrypt container on a USB stick that requires a thumb-print for access and which is wrapped in a condom and 'hand' delivered by the 'mule' via the usual hidden methods. The access codes are encrypted into an image file delivered by uploading it to a porn site, the location of which is emailed to the intended recipient with a note saying something like, "Hey, check out this babe I was with last night."

Encrypt, encrypt, encrypt...

[JWSmythe]

IF (big IF) you can trust the outside network with the data, which I would consider to NOT be true in 99% of the cases, you could implement what I laid out on one of my sites. Check out http://cryptmsg.com

    Completely open source, implement as you'd like.

    Basically, you give them multiple keys, each by different methods (phone, fax, in person, postal mail, IM, etc), and you select the encryption methods. You encrypt the message on an off-line machine, and pass it to an online machine for delivery. The encrypted message goes out through any unsecured channel (i.e., email). They decrypt on their offline machine and now they have the message. All in all, it could be an easy and secure system. Since my code is open source, you can rehash it any way you'd like.

    This is pretty much what I wrote it for. Secure, unbreakable transmissions over unsecure networks, where it's a given that someone will intercept it.

    I include an encrypted message in my tagline. I'll Paypal $10 to the first person who cracks it.

    My biggest concern would be that they're reading it on a machine that has Internet access. You can secure your servers like Fort Knox, but we all know perfectly well that every foreign machine is suspect. That's a risk you have to be willing to take.

    I've seen sites that provide "secure" data on demand to authenticated users, over SSL via their web browser. You can key it to the end user's IP, and require a user:pass, but there's still potential for abuse.

    If your information is that sensitive, you should only allow access:

1) If they are on the secure portion of your network
2) That part of the network does not have Internet access
3) You have a strong security policy for that part of the network
4) You have a strong security policy for the workstations on that part of the network.

    Since that doesn't usually fly in the business world, you'll have to make the exceptions, which you're asking about. Make sure you have upper management approval in writing for the exceptions that you are going to make, so when it hits the fan, you are not the responsible party.

Have the consultant memorize the data.

In blocks of 1 megabyte

foobar...

[youshoulduseunix]

Generally public key encryption should be sufficient. Just send the data as an encrypted attachment using a private key (which you can tell him over the phone), and send the e-mail (with the attachment) using some kind of public key encryption like pgp.

OPTIONALLY: If you're extremely paranoid, you'll need a trusted 3rd party. So here's what ya' do: Send the data as an e-mail attachment using any kind of truly secure encryption. You can use any number of programs for this: trucrypt for windows, or gnupg for *nix for example. Encrypt the data with a good private key (don't use public key encryption), then get your trusted 3rd party on a conference call along with the consultant. You want a 3rd party who can verify the voice of whoever you're delivering the data to so that you can be sure that it's not some random dude claiming to be from company X and claiming to be person Y. Then you literally tell the person the password over the phone. That way you're both communicating in real-time using 2 different forms of transmission. If the potential interceptor of the data has both your phone lines and your network lines tapped, then you have bigger problems than this little transmission of data. If you wanna be truly paranoid, then you could insist that the receiver use his/her cell phone instead of a potentially IP-based company phone.

Your 3rd option is to physically deliver the data with body guards, a handcuffed briefcase, and CIA assassins present.

TC

truecrypt + pendrive = encripted partition, yo could use a key file in adition (or only) to a password...

Easy...

We do this every day at my employer.

First a 'Data Release Agreement' must be signed, in person. It blames the vendor if there are problems.

Next, we use SFTP access (sometimes SSL), bonded courier, or most commonly we tell the vendor to get their ass to our office.

If they want us to pay big money to migrate to their system, they damn well better show up.

Not.

[KlaymenDK]

How Would You Prefer to Send Sensitive Data?
Not.

If I find it's sensitive enough, it stays right here behind my steel door, and anyone who needs to use it can come and ask to use it, here.

Self addressed envelope

[drunkahol]

Stamped, self addressed envelope marked "SENSITIVE INFORMATION"

Do not let the data outside your network!

[PSargent]

Couriers and encryption are all good ideas if you trust the person at the other end, but in your case the data you're dealing with is too sensitive. You could be responsible (yes, YOU!) for divulging all of your colleagues SSNs, bank account details, etc.

Any company that will not send an employee on-site to do the transfer - under supervision, or at least having accepted, under contract, responsibility for any data loss - shouldn't be doing the work.

Give your HR director a good slap for having agreed to this, and not respecting the security of all the employees.

Simple Really

Encrypt the data with a hashing algorithm (such as AES) with a key. Then encrypt the encrypted data with a different hashing algorithm (such as TwoFish) using a different key. Burn this encrypted data to a disc. Burn each of the keys to separate discs as well. Give the discs one each to three different people. Each person must have no knowledge of the other persons. Each person must take a distinctively different route and method of transportation to get to their destination. Each person is to hand deliver their said item at a slightly different time than his/her counterparts so their paths never cross. The data may then be reassembled at the destination by your consultant. Your consultant must physically destroy each disc such that the remnants of said destruction would not be easily identified as an optical disc.

PDF

One hassle-free way is to use password protected PDF.

Do it on site.

Wtf? Are you serious?

Permanently Encrypted

[ei4anb]

I would provide it in a PGPdisk or TrueCrypt encrypted volume and instruct them that it is not to be copied out of that volume to an unencrypted medium. They can make as many copies of the encrypted volume as they like but never extract the data to an unencrypted file. Deliver by hand/courier and get it signed for. Send key by different channel (eg. encrypted e-mail).

If the consultant wishes to use Excel or similar office tools then they can work off the encrypted volume.

If they wish to import it into a database then they must show that the database software supports encrypted tables and prevents unauthorized dumps of data. They should provide details of which data leakage prevention tools they use (McAfee HDLP etc.)

Put in some fake data (different for each consultant) that would trace the leak source and, if possible, trigger some kind of alarm if used.

Transmission isn't the problem

[Todd+Knarr]

Transmitting sensitive data to the consultant isn't a problem. It's easy. PGP encryption using the consultant's public key confirmed via fingerprint check over the phone, then either e-mail the encrypted file or burn it to DVD and overnight it.

But what happens once it's in the consultant's hands? That's the rub. Once it's in their hands it will be decrypted and in the clear on their systems. It has to be. And you're trusting their security policies and procedures when you don't have any control over them or probably any idea what they are. And the consultant won't be the one suffering the fallout if the data's stolen from their network. Depending on how the contract's written they may not even be liable for the loss, and if they are liable you'll have to fight them in court and you're unlikely to recover a fraction of just your direct costs let alone the indirect, fuzzy costs like loss of reputation.

If it were me, I'd insist they do the work on my systems, connecting via IPSec VPN with proper key management protocols in place, with none of my data ever leaving my systems. And I'd still treat their systems as untrusted, have them VPN into an isolated network segment to do the work with solid firewalls between that segment and the rest of my network.

Why not email the data?

[jopet]

You have been using encrypted email all along, didn't you?

Activate checkbox "encrypt" and you are done.

Commit it to memory...

then go to their office and type it out at their terminal.

Like this...

Encrypt the file using your preferred strong encryption algorithm. Burn to CD. Double-envelope, the inner envelope bearing the name & address of recipient, also "COMMERCIAL IN CONFIDENCE" and security tape along all seams, with signatures on the tape. Name & address only on the outer envelope. Then deliver by trusted courier (or yourself) with the package signed for every time it changes hands. Final delivery should be made directly to a pre-arranged named individual within the receiving organisation.

The decryption key should be delivered in the same manner, but independently (a separate package, sent by a separate courier).

Something could still go wrong but at least this way you've shown due diligence.

The data must not leave the fort

[gr8dude]

Problem - once he decrypts the stuff, you're as secure as he is. If the consultant follows no guidelines and is sloppy - Truecrypt won't help you much.

I think the best solution is to set up a machine to which one can connect with VNC over SSH and see the data on the computer, without copying them off the server.

Naturally, the user account must be unable to establish outgoing connections anywhere, or initiate file transfers [from the VNC server to the client].

You'll need to use a good authentication mechanism, for example a smart card or a token (to avoid keyloggers). The key must be PIN protected; and the consultant must notify you ASAP if the key is lost or stolen, so that his account can be blocked.

Alternatively, you can use another authentication factor - biometry, so that even if someone steals the card and knows the PIN, they can't establish a connection.

There is a tool called Terminal Logon, developed by Dekart, it does all these things on a Windows client.

Re:The data must not leave the fort

[pincho23]

If you can see the data, you can copy them ( data is plural I've been told lately ). There is not much you can do about it. If you don't trust the other side, all the authentication and encryption in the world won't help you.

Re:The data must not leave the fort

[gr8dude]

Yes, but no; I know what you mean. It is easier with video and audio - you can connect the audio-out or the video-out to a recording device and make an analog copy of the material.

In the case of such a remote connection the best they can do is make screenshots or photos of the screen (I assume we are dealing with text data).

This is not very helpful when large volumes of data are involved, though it works fine when all you want to steal is a couple of pages.

p.s. indeed "data" is the plural and "datum" is not, and that's how I wrote it.

Re:The data must not leave the fort

[pincho23]

Even information is not transmitted as machine readable text, but as graphics instead (at least over SSH it is text for sure, and a simlpe script will send you large amounts of data easily, even if you remove scp from the server), a modified client can still easily do OCR to get the text back, and even scroll through the data automatically. A little harder than just copying a file, but not really rocket science either.
So you scheme helps against carelessness, but not malicious intentions.

Btw, I wasn't refering to you post. I just had the urge to say something smart and utterly useless ;-).

B2B VPN and option?

[ditoa]

In the past when we have required a high level of security for data transfers we setup a Business to Business VPN (B2BVPN). It requires that you have static public addresses but once setup it is transparent to the end users. Simply setup some space on a file server for them and then configure firewall policies to restrict access to just what they need (i.e. the file server). Also you can have as much or as little logging as you want. In my opinion it is the best way to deal with such a situation if you can get it setup.

Listen to end users, but carefully

[gr8dude]

No one said they want the data emailed to them; and even if they did, you don't have to interpret that literally.

The consultant is not an IT guru, and they probably don't know about secure transfer mechanisms. What she really meant was "I need to get access to the data somehow".

Quite often end users tend to express software requirements in a way that also tells you HOW to implement them. It is the job of the analyst to figure out what people need and then choose the best way to implement the feature. Obviously, it is not in the competence of the end user to decide how something will work.

She was just trying to be helpful, and suggested a mechanism she is familiar with; what's wrong with that?

Just put it on a CD

[hmallett]

Just dump the data on a CD and send it by post. Don't bother with encryption - it'll just slow you down.
If you want to be really secure, put it in an Access database, and password protect it. Then write the password on a Post-It and put it in the same envelope as the CD.
This advice was brought to you by UK Revenue and Customs.

in the year 10191 we follow NeverVotedBushs idea

Except each shipment is accompanied by a squad of sardukar and instead of pgp/gpg we use the best cryptographic routines we can pry away from the spacing guild.

hey... steganography!

[ariefwn]

i've doing this using Concealar... 10MB master data? no problem... i just put it up on geocities as 20MB PNG, and then textmessage the password to the receiving party!!!111

~ ;)

Do you want theory or reality?

[pla]

First, to every other respondant so far - Know your audience. Non-geeks do not use PGP (hell, only a small fraction of geeks even use it), and most people only use SSL when/if their browser makes it 100% transparent. Don't even mention those, you'll just confuse the intended recipient and get nothing accomplished.

For the "real" answer - Using WinZip, pick 256-bit AES encryption and zip your file. Then send it via regular email, and call the recipient with the password (and although you don't need to pick an easy password, prepare to have to repeat it a few dozen times if you choose anything even remotely secure).

That satisfies any privacy/data security laws applicable to the situation, including HIPAA (presuming the recipient actually has the right to access the requested data) if this happens to involve sending medical records. No, not a glamorous solution, but it works.

Re:Do you want theory or reality?

[Paul+Jakma]

I've used PGP to exchange data with non-geeks. It takes a little effort for them to get the hang of it, but there are user-friendly programmes available for most (all) platforms and MUAs.The other parties in my cases would typically have been college educated in someway, and all had a business impetus behind their desire to learn how to use PGP. However, it's well within the grasp of the required IT competance of any modern knowledge worker.

In the case I have experience of, we found that if we did not require PGP that the remote parties (we exchanged data with quite a few organisations) would instead often propose their own half-baked encryption system. Sometimes these would be ridiculous, snake-oil products which they had been conned into buying (sometimes at great expense) - and we would then have to too! (I can remember one product where the encrypted files bore an obvious structural similarity to the plain-text - clearly something derived from a substition cipher, created by an ignoramus).

So it seems to me that many professional, non-geeks are actually already quite aware of the need to encrypt data (and this was 4+ years ago too), they just don't know which tools are good and which are not. Given that, it seems entirely appropriate for tech geeks to then suggest using a widely supported, best-of-breed encryption standard...

Re:Do you want theory or reality?

[Paul+Jakma]

Oops, as posters here have pointed out, the consultant in this story does not sound very competant and/or aware of security.

If that's the case, may be wise to heed other poster's suggestions of changing consultants.

Send to another person...

[Yvanhoe]

It is of no use to set up a secure channel if the person you are sending to doesn't understand why you would like to secure these data

Carefully out there!

[aunt+edna]

Well, I think you've over-looked the obvious: snail mail. Hire a lot (2000 - 3000) of temps & they each write a letter containing all the details for an employee. You post these letters & as each one is sent, the temp who wrote the letter goes to the Consultant's offices & reads his or her letter & types it into the new system. That would work & everyone understands the method, too. Course, it might have a little delay, depending on the postman. Hope that helps -- not too technical, I'm hoping? Anyone else need knotty problems solved, let me know: I do have some time available for quite deep thought.

It's the people, stupid

[Mumei+no+koshinuke]

Most of the talk here is about forms of encryption, whether public-key cryptography will be compromised, etc. That's all well and good, but how many times have you heard of sensitive data being exposed because someone got it and broke the weak encryption? The average Joe whose hands the data will fall into probably won't know that the encrypted blob is anything sensitive or meaningful, and certainly won't know two bits about encryption. Usually data loss happens because an ignorant person copies the file to their laptop and leaves it somewhere, or forgets the CD marked "Account Information" in their car and gets it stolen.

The fact of the matter is that the biggest risks are who the consultant is, who else has access to their machines, and how much they care about protecting your information. Even if you don't use crypto over the network, I find it quite hard to fathom that your ISP is sniffing your data, and even if they were I doubt they could pick out the confidential information. That's a movie plot threat and not something that happens in the real world.

In analyzing this sort of risk, my opinion is that people are usually the biggest factor.

pgp each field

That's right, use a different key for each field and then gpg the end result with another key. Then rot 13 it for good measure.

AES encrypted data on a DVD in the post

[HammerToe]

I had to recently send a backup of data to a client for them to keep for audit purposes and in case we went bust.

I tarred the data up and encypted it with a random string run through aespipe. I then burnt the data to DVD and posted it to them. Once they confirmed they received the DVD I emailed them the key and told them to keep it safe.

Neither the DVD nor the key are any use on their own. The end user doesn't need any PKI setup at all. There is a readme on the DVD telling how to decrypt it, and they are tasked with keeping the key safe.

-Matt

Tell the consultants -

[Geminii]

- that they will be working onsite at the company, using only randomized variations of the real data, and will not have access to noncompany equipment or the internet. Writable media of any kind is disallowed. Their workstations will have read-only CD/DVD capability and no working USB, serial or parallel ports. They may request upgrades to the existing capacities of the machines (CPU power, additional RAM or disk, extra workstations or servers) but not add extra capacities. They may bring in their own software. The equipment they are given will be airgapped from the company network. The randomized company data will be supplied on DVD or CD.

No cameras.

Be Paranoid...

[Firefalcon]

Firstly, as a somewhat paranoid former sysadmin, I'd not want it to go outside of the firewall.

If management insist, then encrypt the compressed data file (PGP/GPG/etc), and either copy it to the person's laptop on site, or over a VPN. Given the issues here in the UK with sensitive information getting lost by the courier, I'd avoid that route, even with encryption.

Ideally, insistence on full disk encryption while this data is on her laptop (and tight restrictions on who has access on any server if it's put on one at her end - perhaps only permitting the encrypted copy to be left on there out of hours, or again disk encryption) - as other posters mentioned, people are the main issue here, with the potential for the laptop or media containing this data to be lost or stolen.

Let me get this straight...

[ocbwilg]

Upon being told that I would not email this data to her, the consultant asked what my security requirements were for sending the data. What would be on your wishlist for the best way to send sensitive data to someone outside your firewall?"

Your consultant wanted you to email the personal data to them to begin with? Well, first on the wish list would be a new consultant, preferably one who takes security seriously enough to not ask that confidential personal data be sent via email. It's not like they don't know what kind of data they have there, and the lack of consideration for security in acquiring the data from you does not bode well for how it will be handled once they have it. I would probably require that they either come on site and work with the data via your machines on your network, or I would demand a partnership agreement with them that spells out hefty penalties if they fail to follow specified security practices, especially if that failure leads to data compromise.

Re:Let me get this straight...

[reikoshea]

SSL (RSA DSA encrypted tunnel) and PGP (GPG) at the same time is the only way my company ever electronically transmits sensitive personal information.

Just encrypt the damn thing

[Qbertino]

By far the largest problem (95%+) with security isn't technology but the procedures involved with true security. Use any system that is safe and easy to handle. A good PGP setup (costs money), a good GPG setup (costs time) or - this is what I would do - file encrypter programms like KGPG. Those are the most hassle free to use - contrary to those bizar multi-standard email encryption setups that can easyly fail due to incompatabilities. There even are file compressors and archive programms out there that support encryption (check for the strength of that beforehand though).

Once you've done that and have esablished a secure pipeline to your adjacent on the other end see to it that his procedures are as secrue as yours. It might even be the best just taking an ecrypted stick or HDD over to him in person and help him migrate the data. That way you can ensure there is no leak on that end. If you're really serious about security, that's the way to do it.

PGP

[Paul+Jakma]

You want PGP. I've used this to transfer files of data worth millions* across the internet. The procedure is quite simple:

• Both sides obtain PGP software (widely available)
• Both sides generate keys
• Both sides exchange keys in a manner that allows each side to be sufficiently assured that the key does indeed belong to the other party**
• Create a zip file of the data to send
• Use the PGP software (perhaps as a plugin to your email software, for maximum convenience) to encrypt the zip file with the key of the recipient, and sign it with your own key.
• Send the encrypted and signed file - ideally to the intended recipient, but if you make a mistake in that it won't matter :)

* Quite literally: the data being codes that granted temporal access to certain widely used commercial services, each code having a definite monetary value.

** Exactly how depends on what level of assurance is required and acceptable. Ideally you should exchange keys in person. If that is not possible, via a trusted intermediary. If that is not possible, via a distinct channel from normal channels of communication (e.g. post, mobile phone; landline phone as a last resort). You can exchange keys via email, and then verify the keys 'fingerprint' over a secure*** channel, if that secure channel lacks the bandwidth for key-exchange (e.g. voice phone ;) ).

*** Sufficiently secure for your needs that is. There are no absolutes in security.

stanglover

[stanglover]

to be honest, if you are truely concerned about the security of everyone's SSNs and personal information, you can always turn to an archaic form of secure correspondance: certified mail. every person who handles certified mail must sign for it in ink, and it is a Federal Felony to lose/misplace/steal certified mail. Dont quote me on this, but I think the US military has approved certified mail as one medium of transporting items labeled "SECRET". Given this method will take more time, but the end result will be probably the best solution to security of the data in transit. if you hate the consultant, print off the data and mail it to him, and if ya wanna be nice, just toss a CD in mail.

Re:stanglover

[base3]

You're thinking of USPS Registered Mail, but other than that, you're right.

Always amazed

[Stumbles]

Thanks for the heads up not to do business with your company and partner company who seeks the opinions of ./er's about sending peoples SSNs over the internet. The question you should be asking yourself is, how do banks and credit card companies handle such extremely sensitive personal data and use a consultant specializing in such matters. Otherwise your HR person has committed your company to exposing its behind to all sorts of legal entanglements.

Re:Always amazed

[Shados]

Even if you get a specialised third party to do it, you still need to know it yourself from your own research...

In this day and age, "specialised consultant" just means someone who can sell a fridge to penguins in the south pole. So you need to be able to double check that they really do know what they're doing.

I worked for a company who made portfolio management solutions for banks... We could pass all of the audit tests and fill in all of the security check boxes on their requirement sheets. Still could hack the damn thing with an HTTP sniffer/proxy and something to forge HTTP requests, in an hour or two...

hold it

[nguy]

I hope your scp setup has chroot cages set up, because otherwise, your clients can go poking around the rest of your SCP server and potentially do all sorts of damage.

You can use chroot as an additional security blanket, to protect against possible bugs in scp. But if you don't use chroot, that doesn't mean "your clients can go poking around the rest of your SCP server". Furthermore, there are many alternatives to chroot, including vserver and AppArmor.

chroot cages are built in

There are plenty of webdav implementations that do not come with chroot.

I'm sorry, but a little knowledge is dangerous when it comes to security, and your blind faith in chroot is dangerous. Chroot is neither necessary nor sufficient for ensuring security.

Re:hold it

[nahdude812]

Nor is chroot intended as a security tool, even though it's widely used as such. It's quite possible to break out of chroot jail.

Re:hold it

[Antique+Geekmeister]

Oh? You think not? If you don't have chroot cages, or some other more complex and thus more likely to trash your system tools to isolate SCP or SFTP users, a pernicious user can overwhelm just about any writable directory on the system. This includes /tmp, /usr/tmp, and /var/tmp (which are often symlinked togetyer). Alternatively, any log files or system applicaitons which were not carefully secured will be vulnerable. Jabber servers installed by default in /usr/local with their passwords in cleartext, MySQL databases installed manually with unwise permissions, even home directories of users who want to "share their workspace" and have have reset their home directory to global read permissions, with their HTTPS Subversion passwords in the clear-text local storage that the Subversion clients insist on, all become vulnerable. Or if the server is running autofs, the SFTP user can go into any local NFS server he wants by poking around in /net/[hostname]/.

While you may be careful to have a properly secured system for these services, far too many casual users andn busy admins just use the available tools without thinking about the repercussions.

And simple vandlism like swamping /tmp or /var/tmp will make your system unusable to ordinary people, because even if you've got them on an isolated partition or two, various utilities will casually attempt to write there and fail when they can't. It's very difficult to predict what will fail in such circumstances. And if they're not on a separate partition, they can overflow /. That leads to very, very expensive downtime in an industrial use, or a lot of frustration cleaning up the debris for a casually built server.

Even setting up the chroot cages for contemporary versions of OpenSSH is awkward. It's a manual process, and the OpenSSH chroot cage puts all such users in the __same__ chroot cage, rather than allowing different cages for different users. There were better versions of that all the way back with ssh.com's ssh-1.x, before OpenSSH was even invented, that would allow different chroot cages for different users.

Tools like Apache allow one to trivially configure something nearly the equal of a full-blown chroot cage, in a commonly used and easily configured fashion with no add-on software which requires updating anytime a system tool updates. It's a much cleaner approach. Even FTP servers and rsync have learned how to do this properly andn keep the /etc and /bin and /lib directories out of the effectively chrooted space.

It's not technically a chroot cage in those instances, but it's a well-isolated upload/download location, and quite effective at keeping users out of the rest of the OS.

Re:hold it

[nguy]

Oh? You think not? If you don't have chroot cages, or some other more complex and thus more likely to trash your system tools to isolate SCP or SFTP users, a pernicious user can overwhelm just about any writable directory on the system.

If you don't want people to be able to "overwhelm" any writable directory, then f*cking use the mechanisms that are designed to prevent people from doing that. If you don't know what those are, then you have no business doing UNIX or Linux system administration. Hint: chroot isn't one of those mechanisms.

Even setting up the chroot cages for contemporary versions of OpenSSH is awkward.

Well, duh, that's because chroot isn't intended for that purpose.

It's not technically a chroot cage in those instances, but it's a well-isolated upload/download location, and quite effective at keeping users out of the rest of the OS.

So, it's, in fact, not a chroot cage at all, it's an application-implemented set of access and security policies. Which is what I was saying.

Hide the Heiney? n/t

no text

Obvious

[salesgeek]

Have you ever considered simply implementing public key infrastructure using good old fashioned rsa certificates? Almost all email clients support smime and it does two things:

- Allows for encrypted messages (secure)
- Allows for automatic signing of messages (authentic)

PGP is another good choice, but it takes more work for the end user. Another nice feature of using PKI is that the same certificates can be used for web authentication as well!

Station Wagon

[Compulawyer]

Never underestimate the bandwidth of a station wagon full of disks. The information on those disks is encrypted using PGP with a Really Big Key(tm) , of course.

SSN

[c0d3h4x0r]

Technically, only the government should ever be asking for your Social Security Number. No one else (doctors offices, businesses, lenders, etc) should ever be asking for it, even though they do. Whenever I'm asked, I provide only the last 4 digits, and if that's insufficient for their purposes, then I refuse to do business with them.

Re:SSN

[spikedvodka]

Reread TFS... HR Database... technically your employer needs it to properly report to the feds.

Re:PGP -- step three revealed!

I think I can help here: step 3 is: 'apply copious amounts of lubricant'.

Be Secure keep it On Site

I would force the consultant to come on site and TEST, I would not let the data off the property.

Depends on how much data and how often.

[setrops]

1 small file a day? PGP through e-mail
1 large file? PGP via FTP/SFTP so this could be automated.
Continuous access to a DB? Probably interconected with some VPN solution.

Exactly - now scale it up to a regular 1024bit key

[DrYak]

So it would take 2000 computers to do this in about 2 weeks? Exactly. Now double that number for each additional bit in the key (and divide accordingly as the number of computers in the bot net increases) :
Cracking a 1024bit key with a botnet of 2'000'000 computers, would take a tad less than 2*10^106 years.

By then, either the universe will have reach heat death, or we'll have developed more efficient cracking technologies (quantum computing) and conversely, more secure communication channels (quantum key distribution has seen experimental usage already - maybe one day, the technology would be able to do quantum *data* exchange).

Broadcast it

[dosun88888]

Your question is kind of like asking how to secure the door into your paper house.

Yeah, jump through hoops to encrypt the data so that the consultant has to wait to decrypt it before they can either willfully or accidentally leak it on their end.

I have a lot of rants about security absurdity, and this is up there in the list.

Compartmentalisation

There are lots of places in HR processing where some small subset of an individual's application data needs to be exposed in processing. In compartmentalizing data, you are wanting to expose as little as is possible.

If you are checking if some given person lived at a certain address at a certain time, the task gets broken up into parts. There is no need to expose personal information if the first task is to verify that the address did in fact exist at the time claimed. The second part, verifying the person lived there does need to expose the name of the person. However, if it is the same party that verifies both parts, the result of the first task can return a one-time encryption key which is used to encrypt the second request.

Part of compartmentalizing data, is to change data flow. Do not process down a single application, process across all applications. If you are verifying addresses, verify all addresses across all applications at the same time. Shuffle the data. It is harder for outside parties to associate one piece of data with any given person.

In internal processing, most of the time the people doing the processing do not need to know who the applicant is, in order to process some specific item. Use some random string for identification of data checked out for analysis, which is then used during data check in to put the analysis results in the correct place.

via parcel

[Gewalt]

The most secure way to transmit data is via parcel. Spend a couple bucks, buy a thumbdrive big enough to hold the data. Then encrypt the data with truecrypt or PGP or GPG or whatever. Email the key to the recipient, and then overnite the encrypted database. Surely, your clients privacy is with the 30$ investment to your company?

SFTP

[hlt32]

I would use SFTP.

Simple, easy to set up and windows clients are available.

On a physical medium, by snail mail

[wertigon]

If it's very sensitive data, I'd send it over on an inconspicious CD-ROM or DVD-ROM disk by reccommended express delivery.

If it's not quite that sensitive, encrypted VPN/SFTP do the trick.

In a tank.

[Oktober+Sunset]

A big tank, full of Nazis. This is absolutely secure for sending anything except Henry Jones.

Don't Send It!

[Awful+Truth]

Why should the data leave your control at all?

Your company is paying the consultant, why can't she come to you?

If that's impossible, look for a solution using a remote login and a technology like Citrix; she'll be able to work on one of your company's machines, but not copy/print/easily transfer data.

As other respondents have noted, the greatest risk is not in the transfer of data, but in everything that happens after the transfer, while the data is in the control of your consultant.

Mail it.

[caveat]

Not some fancy, expensive, uber-high-security bonded cleared and armored courier, either.

USPS Registered Mail.

If it's good enough for the government to send Secret-level classified information, it'll do just fine for a bunch of identities.

Zixmail

[dlur]

Three years ago I would have said PGP. Today I'd email this using Zixmail encrypted email if the file size was under 5MB. If the file was over 5MB I'd zip the data with Winzip to an AES256 encrypted file, burn it to a CD/DVD, send it via courier by Fedex/USPS/UPS/etc, and send the encryption password out of band via email or phone.

Don't send it out

[Maclir]

Tell the consultant that sensitive information like that cannot be sent outside of the organization. Get them to set things up inside your organization.

We have been asked to do a similar thing here - and said emphatically NO.

Don't send the data anywhere

Make the consultant come on site and perform the operations on your equipment in your infrastructure.

If you send it PGP encrypted that only covers you during the transfer. What happens to the data after they unencrypt it? Do you trust them to securely delete it? I don't, not unless it is included in the contract.

distributed.net

[yabos]

Go have a look at distributed.net to see how effective thousands of computers are at breaking RC5 encryption with a 72 bit key. So far it's been going for 5.5 years or so and is at 0.495% of the keyspace http://stats.distributed.net/projects.php?project_id=8
This is only a 72 bit key by brute force. Try breaking AES 256, I dare you.

This is really simple, people

[flappinbooger]

Just zip it all up and password protect it, come on!

-ducks-

Re:You mean like rsync?

[yabos]

I guess he's sending it to Alpha Centauri

SMIME

[rAiNsT0rm]

No doubt SMIME. I used to be in charge of a large bank's IT/security and SMIME was it.

You need a security policy.

[DangerTenor]

I can't stress this enough. You need a company information security policy.

Your information security policy should at a minimum cover the following items:

• Definition of critical business information (CBI)
• Definition of personally identifiable information (PII)
• Who can and cannot have access to CBI and PII
• How CBI and PII must be protected when stored
• How CBI and PII must be protected when transmitted
• How systems which store, transmit, or process CBI and PII must be protected to ensure the safety of the information (e.g. anti-virus, disk encryption, firewalls, etc.)

I plan to write a blog post today or tomorrow at our blog, http://securitymusings.com which will go into a little more detail on this.

Now for a direct answer to your question: strongly encrypt the data using a 128-bit (or longer) standard encryption algorithm such as 3DES, AES, or Blowfish. If you are using password-based encryption, use a long and random password, such as those generated by any good password generation application. (GRC has a web-based one.) Use at least 20 random characters to create a sufficiently entropic password. Communicate the password out-of-band, such as via telephone, fax, or mail/fedex. There are lots of available tools to do proper encryption, such as PGP/GPG, WinZip, etc. Use one, don't write your own.

Re:You need a security policy.

[Hillgiant]

Please do not take this the wrong way. I speak as someone who is in the process of writing ISO 9000 quality manuals for two different companies.

If you have to invent a TLA to describe the process you have already lost. If you want the policy to be actually implemented, it needs to easy to understand. Brutally easy. Comically easy.

You can email it safely

[HangingChad]

Use Truecrypt to create an encrypted file container, load your data and email or FTP at your leisure. You can phone the receiving party with the password and they can work with the data in the encrypted file container and neither of you have to worry about losing it, provided they unmount the file container when they're done and don't store the copied data anywhere else. I do it all the time. You can even transfer files back and forth between Windows and Linux with Truecrypt 5. I haven't tried the trifecta with OS X but I'm not seeing any reason that wouldn't work as well.

There really isn't any reason not to use encryption these days.

If you find Truecrypt useful, maybe making a little donation to support development might be nice.

Use Websafe's encrypted collaboration

[lbates_35476]

www.websafe.com (currently being renamed www.vitalesafe.com) provides encrypted sharing of folders over the Internet. Much easier to set up and maintain than a VPN (you could have a secure sharing configuration set up in less than 10 minutes). Requires no special client software (you can use browser, or WebDAV client, or free client-side sending software). Your data is protected end-to-end during the transfer and during the on-disk the storage. Every account has a unique encryption key. One of the design goals of our product is to meet just such a need as the one you outline. There are other features like online backup, Patient managed Health Record (PHR), and a Password Manager that can be used in addition to the secure sharing/collaboration. Free trial accounts are available (limited to 50Mb). Disclosure: I am the Director of Technology for WebSafe/vitalEsafe.

DVD/hand carried

[klubar]

Actually if you use USPS registered mail you'll get a traceable route of the data. If the data is super valuable, you can contract with a secured courier (think armored truck) to transport the CD. We occasionally do work for financial services firms, and since they already have a armored truck courier service for moving cash, it's easy for them to schedule a pick up with an armed guard.

Even if the CD is stolen, it's still encrypted--and armored trucks (especially ones carrying data) are rarely held up--and they have insurance.

Don't go too crazy with the NDAs

I've been doing this for 10 years, as a consultant. When I go into a company there's always some enthusiastic 25 year old who gets the suits excited. Recently I was asked to sign a 25 page agreement (this was for a contract worth $7K).

I didn't even read the agreement, I thanked them for their time, got up, and left the conference room.

They called me back and said that they wanted to know "which part of the agreement made me feel uncomfortable." I told them that after I had walked away I had a lawyer friend look it over.

"Well," I replied, "the clause about surprise inspections in my office or home at any time of day or night was a bit scary."

Two weeks later, I went in and copied the data to my laptop. It wasn't encrypted, or signed. I gave them a one-pager that said "I will not divulge any non-public data I come across that includes your client list or the personal details of your customers. I will make reasonable efforts to secure the data. I do not stipulate to any damages and any such claim is hereby waived by the Company."

The 25-year-old sysadmin had been fired.

in person

[depend]

come on. Just walk over.

Re:in person

[kyldere]

I second this idea. Good old sneakernet might even result in faster transfer speeds. If you are really concerned about the data, you can have a send someone with the data and someone else with the decryption algorithm.

Encrypted VPN tunnel

[egandalf]

Encrypted VPN tunnel. I work at a Hospital and that's our primary method for external data access.

Personal files

[highwayfive]

For my own use - transfering files from work to home and back I have found a great little tool. Its free! quick to install and a joy to use. Drag and drop your files and it uploads them and sends you an email link for the files. Okay the data storage is limited for the free version but its a so easy to use. http://www.interouteexpress.com/ I found it on their website when I was browsing for ethernet providers. www.interoute.com â" Fast Ethernet Network

User dependent

[sect0r0]

I would say it depends on the sophistication of the company you are sending to. Are they small? They probably don't have IT staff and can't handle an SSH or VPN type transfer. Here you can use something like PGP web messenger or another third party securemail system that allows you to send messages that outside users can retrieve via an https secure site. If they are larger, you can work to get a technology like TLS enabled on your MTA and their's to encrypt from site to site. If they have an IT staff call them up and talk about the possibilities. They may support PGP. Or perhaps some other delivery method like an SSH sftp transfer.

encrypted PDF

[nguy]

Most people in such situations seem to be using encrypted PDFs. They're not as general as PGP, but they are a lot easier to use for recipients.

Of course, an even simpler way of dealing with it is to give people access through SSL protected web pages.

Bayl bar nafjre

Anghenyyl, gur zbfg cbjreshy rapelcgvba flfgrz va gur jbeyq!

Why is this considered a challenge?

[HEbGb]

This is really dumb. Just encrypt the file using any number of techniques (sheesh, even WinZip has decent encryption now) and email it. Then call him on the phone with the password.

This isn't rocket science, folks.

Why would a consultant want the data?

I have worked with vendors that provide applications that my company uses. We have never had to send live (production) data to the vendor to load into the application. What we have sent are data structures that are currently in use. From that the vendor provides a script that we run to load the data to the application. In many cases a set of test (bogus) data is provided to the vendor for them to test their scripts.

Look at Atabok

[neuromandw]

I've worked for several security technology companies including RSA and Sony/BMG (yup, they developed DRM software, so they qualify), and have found Atabok has excellent technology and solutions. Standards-based: x.509 certs, managed PKI, 256 bit AES, protected in memory, integrates with Outlook, Notes and Acrobat, and has clients which run on Linux/Unix/Mac. It can be hosted or brought in-house. The client experience is pretty close to seamless and, unlike PGP, easy to install and manage for an organization. They even offer DRM for office/PDF docs (view/print/combust), all in one integrated solution. What's more, the people that work there are great, esp. their chief scientist [IMO].

IronPort E-Mail Encryption (Formerly PostX)

[jon3k]

http://www.ironport.com/

Yeah, seriously, they're awesome. We're using three clustered C150's at two datacenters right now. You can ditch all your other spam/anti-virus software too. Expect to pay about $15/mailbox/year for 3 appliances. Also might be worth mentioning that they were recently purchased by Cisco.

We use them to automatically scan and encrypt any message containing ePHI (think HIPAA), ABA's, SSN's and credit card numbers. You can also install an outlook plugin to implicitly encrypt messages or create mail rules to always or never encrypt certain messages from certain people or groups (great LDAP integration).

And the spam filtering is phenomenal. I really can't say enough good things about these appliances. They replaced several fedora+clamav+sendmail+SA boxes I was running and I couldn't be happier.

Don't do it

I wouldn't do it... Encryption is not the answer as this person now has your employee's personal data offsite. Insist it be done in house on your network on hardware you control is the only safe solution (and even then...).

The simplest and *MOST* secure way...

[multimediavt]

External hard drive (or RAID depending on size of data) encrypted (hardware or software) FedEx'd or couriered to the offsite location with the encryption key sent separately via a different carrier or mechanism. I use this scheme with my consulting clients and everyone is happy.

It's high latency, but it's great bandwidth and security.

That's easy

[Minwee]

Just follow UK government standards and write all the data on a CD or two then stuff them in the regular mail.

Honestly, what could possibly go wrong?

If you have to ask....

[44BSD]

Tell HR to ask Legal.

If you do not already know the answer, you are the wrong person to turn to.

This answer is not meant to be disparaging.

simple

[spikedvodka]

two words: Bonded Courier

extended version: Ask what form they want the data in... burn to cd/dvd copy to tape/etc.
place in tamper-evident sealed bag, place in couriers hands with orders to release to nobody except the authorized person. ask for a signed reciept

or for the very paranoid

[marros]

Use a data encryption program to encrypt the data first, then use rar and password protect it. Burn it to a cd and have the post office (or bonded courier) deliver it, get a signature, and have them return the receipt. Then you can give the person on the other end the passwords in person.

My answer.... I wouldn't. send it...

[GuyverDH]

I'd say, here's your plain ticket, ship the server and software here, be prepared to stay awhile.

No data exchanges to anything belonging to the consultant.

No data removed from the premises to review for oddities overnight.

Laptops for use to browse the web, access web mail provided by the client, to remain on premises at all times.

Once the conversion is complete, send the consultant packing with nothing but his cellphone/pda.

But hey - I'm an evil data security monger...

Re:My answer.... I wouldn't. send it...

[GuyverDH]

gah...

I hate when I don't preview and catch a glaring typo...
plane ticket...

time for more coffee....

SSLDataExchange.com

Our small consulting company ran into this issue and developed ssldataexchange.com as a solution.

Simple idea really: our customers log in, create a subaccount for their business partner (or accountant), and upload files to our website.

Their business partners are notified about subaccount creation and emailed an initial password. This password must of course be changed at the first login. They will then be able to securely retrieve any files in folders they have permissions to read.

We offer flexible folder hierarchy, permissions, and notifications.

Overall it is meant as a substitute for something like a SFTP server, without the need for local server or client installation/configuration.

There was definitely a gap to be filled between easy to use but horribly insecure and secure but geekiness required.

Could Be Worse

It could always be worse,

At my office we deal in point-of-sale equipment and software. We often have to help customer's process batches of credit cards during their nightly close and sometimes the data has to be manually processed through the credit card processor. When the cards have to be manually processed, we send them a list of the transactions, the last 4 digits of the card number, as well as some other information.

I kid you not, they require us to accept full card number and customer information via fax, and will offer no other method. This is infuriating to us, as we go through e-fax and our faxes come in as plain email!

HERE IS A REAL RECOMMENDATION

[lancesnyder]

For those of you suggesting background checks, credit checks, attorney documents etc... you're all a bunch of idiots. I am a CISSP and a CISA. I deal with this kind of stuff on a daily basis. Here is a REAL recommendation. Please disregard all the other morons who think they know what they're talking about. Use SFTP. Use SSH-2 or above. It is a simple implementation, and there are many opensource options for you to choose from. It will provide you with the confidentiality you're looking for, as all data will be encrypted. You do not need to worry about background checks, credit checks, attorney documents etc. It's not like your company went and found some people in the alley behind your building and paid them to do some work and help your company with software. Chances are there is an agreement of some type between the consultants and your company. The consultants know what they are expected to do, they know their limitations, and they are aware of the consequences of deviation. Your company obviously trusts them enough to help them implement the software, and im betting this isn't their first rodeo. This is a simple task, with a simple solution. It's not rocket science. There is no need to complicate it anymore than it needs to be. If you follow my recommendations, you will be fine. If anything would happen, it's not your fault, it's senior managements fault. You didn't pick the consultants, you simply provided a safe means to allow your organization accomplish it's objective.

Been there, done that

[mrmagos]

This sounds like the headache I went through implementing HIPAA policies where I work. My first thought and recommendation was PGP. It's widely used and you only have to do the key exchange once per contact. Plus, it was a hell of a lot better than what they were using before, which were password-protected Excel sheets.

However, training our staff proved difficult, they kept getting hung up on the key exchange, even though they were reminded that it was only necessary to do this once per contact, and they would be assisted in this process. The other difficulty was partners and consultants were unwilling or unable to implement PGP (or something compatible) on their end.

Since PGP seemed too complex for the HR crowd, I tried implementing something that would be a bit simpler, and mirror their current process: encrypted zip files. Kludgy and ugly, but it fulfills HIPAA requirements (secure transport). Winzip is familiar and easy for them to use, and supports 256bit AES encryption. Before they send sensitive material, they call the recipient first to share the password, then send the data.

USPS

[Anonmyous+Coward]

On a USB drive. Encrypted with PGP. Via USPS registered mail. You provide her with the key via a separate medium, of course. And before you send her anything, make sure you have a contract that your lawyers have looked over where she both attests to being aware of your company's security and privacy policies and assumes all responsibility and liability for the security of the data once she receives the drive.

How much risk do you want to accept?

[Bagheera]

There's some good advice here already, and a lot of good questions that need to be answered before anyone could give a comprehensive answer. But having done a bit of this myself when I worked at "Large hardware vendor in The Valley" I've got a fairly simple combination to toss out.

1: Encrypt the data itself. PGP/GPG is your friend. If your consultant can't figure out how to use basic file encryption, find another vendor.

2: Confirm the keys. Face to face or on the phone, make sure you (and they) have the right keys on your ring.

3: Secure the transfer. In theory, properly encrypting the data itself should be enough. Even if the file's intercepted in transit, it should be unbreakable. That doesn't mean you shouldn't transfer it over a secure pipe. Pick your method here. SCP / SFTP are fine for point to point. So is burning the encrypted file to a CD/DVD and sending it via courier.

4: Accept the risk. Once the data's out of your hands, you no longer have control over it. You can't stop the contractor from signing for the package, decrypting the file, sticking it on a thumb drive in cleartext, and leaving the thumbdrive on the counter at Starbucks. Getting them to sign appropriate legal documentation will shift the liability, but won't actually stop the damage from the data getting out.

Your mileage may vary.

Cheers,
Bagheera

D) None of the above.

[Sun.Jedi]

As I understand, they are sending data to a contractor so he/she may populate a DB (or something) with data for an app migration. This is an unacceptable practice, no matter how you slice it, because ITS A CONTRACTOR.

I'm pretty sure the contractor can jump on a plane and perform the neccesary work on a known, secure platform without the requirement of sending data out. If not, I'm 100% there is another capable contractor willing to perform work in a safe, secure manner out there.

The net cost is easily justifiable, IMHO, compared to the cost of restoring business reputation from sloppy policies and process.

Not SFTP

[jotaeleemeese]

It is vulnerable to man in the middle attacks, unless you buy a commercial solution with host authentication.

I have no expertise with setting up VPNs, but a similar situation may arise.

Re:Not SFTP

[Foldarn]

No, it's not vulnerable to man-in-the-middle attacks because the VPN is secure. It encrypts ALL traffic going over the tunnel. In most cases, it's encrypted 2x over due to the fact that there are in actuality 2 tunnels. Phase 1 has 2 endpoints set up between the 2 public IPs. It creates 2 pseudo endpoints within that with internal network addresses and the second tunnel between them is created that's also encrypted. The traffic goes through this second tunnel. It WOULD be vulnerable to man-on-the-inside attacks but there is no situation that's free of fear from those attacks.

Burn it

[DMCBOSTON]

Burn it to a disk and mail it. Registered mail, if you are REALLY paranoid. Cost is about $5.00. Security? Priceless.

You must be joking.

[jotaeleemeese]

One thing is to safeguard the integrity of the data (VPN) and another one is to safeguard access to a service (FTP).

It is ludicrous to suggest that both should be tied up.

Security by obscurity.

[jotaeleemeese]

How much cavalier can one get nowadays?

Everybody and his dog knows the flaws of ftp and it is almost certain that most people in your office will know which the ftp servers are.

Sorry, but your assumptions are rubbish.

sftp makes matters slightly less bad, but still has issues that need to be thought about and not dismissed as unlikely.

Easy!

[eth1]

- Encrypt files
- Rename files to Episode001...999.mpg
- Burn data to DVD(s)
- Label DVDs "Barney Reruns"
- Mail DVD(s)

No one will dare try to even look at it! :)

Far more secure.

[jellomizer]

You force a guy to memorize all the data perfectly. put in his mouth an unidentified liquid, that such mixture cannot be purchased at the stores along the way. Have him run to the consultants if the liquid is gone from his mouth have him shot. Otherwise have him spit out the liquid and have it tested if it doesn't match (this can be given over the telephone after he gets there) have the messager shot. Otherwise the messager will realy the information to the consultants then given a brand new liquid to verify the information was recieved send him back to the company. Once again shoot the messager if the liquid is gone or missing. and repeat until all the information is shared. Once all the information is shared shoot the messager to insure that it will not be repeated.

Use Google Health

[baggins2001]

Just post it there. What could go wrong?

Why do they need the data?

[jotaeleemeese]

Nowadays people can work remotely.

So make an account for your contractor and then control access to the data locally.

At the end there is also a degree of trust (enforceable by contracts) in which you evaluate if your business partners are capable and reputable, because no matter what you do, once a third party can read data they can copy it.

Simple solutions

[511pf]

Wow - there are lots and lots of ridiculously complex solutions here. I'm assuming this is a one time data transfer. How about this:
1. Make a copy of the database
2. Encrypt it with PGP Disk or TrueCrypt.
3. Put it on a DVD, Flash or external hard drive.
4. Meet the consultant, hand the data to her and tell her the password. Alternatively, courier the DVD/flash drive to the consultant and give her the password over the phone.

I'm assuming you can identify person and there isn't going to be some movie plot threat involving imposters who assume the consultant's identity by getting her face surgically attached to theirs in an effort to steal your data.

Don't make it more difficult than it needs to be.

Dial-up modem

[pestilence669]

Two dedicated lines, two 56k modems, many small PKZip files w/ password protection, terminal software, Xmodem CRC, and a phone call to say "I'm dialing in RIGHT now, plug the server in." be sure that you answer manually, so war dialers can't get in!

Send outside the firewall? Via UPS

[jgt10]

If I don't trust sending something via email, why would I trust ANY kind of electronic transport?

By the time any VPN, PGP, or other encryption method is worked out a flash drive or CD or DVD with the data could be FedEx to the consultant.

Many years ago the pithy comment was "Never underestimate the bandwidth of a station wagon loaded with tapes."

Today it might be "Don't underestimate the bandwidth of a minivan loaded with DVDs."

JGT

Keanu Reeves

[indytx]

He made the best courier.

It does not matter

Your data will just go into databases that will be leaked or can be easily cracked one way or another.

Sneakernet!

[answerer]

I personally would be more concerned about what the consultant is doing to ensure data security on their end than how you transport it.

If it's within driving distance, encrypt it with PGP, burn it on a CD/DVD and send someone on a road trip. No complicated technical problems to deal with. Otherwise, send it through a courier service.

Don't let them load the data set off-site

[diGitalRchitect]

There is a lot of talk about secure ways to transfer this data off-site, but you should be trying to determine whether it is really necessary for them to load this data off-site. Once the data is off-site, encrypted or not, it is out of your control.....and that should give you pause.

It sounds like they want to load the data onto a system that they are building for you. I suspect that this system will eventually be installed at your office, not theirs. What they need to do is formalize the process for importing data from your existing system into their new system. There is no reason that they need to use live data for this purpose. At the very least, you should be able to create a file (or tables) with non-sensitive data fields filled with real data and sensitive fields filled with test data. This should allow them to perfect their import process. You should then load the real data only when they deliver the system to your location. Or as an alternative, you can then just update the records to fill in the sensitive data when the system arrives. Following this, you and the developer should then be able to perform a full series of tests with the real data before you deploy the system.

AxCrypt

[Max_W]

http://www.axantum.com/AxCrypt/

open source, free, and simple to use. Encrypting files and shredding(!) them after use.

Re:AxCrypt

[Max_W]

Or VPN access and a LAMP application on your computer, which shows necessary data to a contractor via an intranet web page and SQL queries.

Without giving the whole DB to a contractor.

Limit access to the page to IP address of your contractor and put a password. All in Apache configuration file.

Exchange 2007

If both organisations are using Exchange 2007, try Mutual TLS for domain security:

http://technet.microsoft.com/en-us/library/bb123543(EXCHG.80).aspx

This allows you to ensure the messages between organisations are always transmitted across encrypted channels. This is a good enough solution for most purposes, and if they are using Outlook 2007 it will tell them the message has went through secure channels.

If that's not enough (or you're not using Exchange 2007) and you have certificates for S/MIME, import the root certs into your organisation (if required) and exchange public keys. If the people emailing the secure data changes a lot, then you can publish the consultant's public keys to your GAL as a contact - see here: http://msexchangeteam.com/archive/2008/04/23/448761.aspx

Sending sensitive data

Verify with policy if it should be sent at all.
Follow secure company policy guidelines every step of the way.

Secure the pipe, the client, the server and the data itself. And, breaking the file up into smaller chunks encrypted differently is a very good idea.

Re:Exactly - now scale it up to a regular 1024bit

[Stewie241]

Though... the end of the day... you can do all the math you want... you don't need to try every key... you have to try every key until you find the right one. It doesn't matter how encrypted it is, it is possibly to stumble across the key by blind luck.

Re:You mean like rsync?

[Macthorpe]

Physical media is not a good idea because it's obsolete by the time it gets there. 3.5 inch floppy disks - invented in 1983, and I can still buy floppy drives from my local computer store.

Where are you sending things that takes 25 years to post?

or FedEx, but NOT any company with bike couriers

don't EVER send something you value with bike-couriers:
the bad companies prefer to have too many couriers hired, ( it's piecework, so if there isn't enough work for you today, you just have to live on 1/2 minimum wage, or whatever it works out to, too bad... ), so while they "always have someone near you", they have few/no good couriers with 'em.

I've seen bikers destroy "fragile" marked packages as an effect of the way they are treated by their "employers" ( they aren't their employers: independent contractors, not employee agreements -- no rights, no standards, no minimum wage )

They also routinely leave your packages with any security guard who says they aren't allowed to bring other packages into the building with 'em.
Stuff goes missing? Well, the courier agreement means the courier company has no responsibility to you, too bad.

Do you trust either ego head security guards or people treated as that worthless by their source of income?

Same way as any other piece of art

[holophrastic]

It's a quasi-large amount of data, and it's an infrequent thing. Duh, put the hard drive discretely into your pocket and plane/train/automobile/hoof it over. Bring a body-guard if you're actually woried about being mugged in your travels.

It's the standard answer, don't give it to anybody along the way, don't let someone else carry it for you. Look the contractor in the eye when you hand it to them directly.

What, have people forgotten that electronic data can still be carried?

karstdiver

[karstdiver]

The first question was "How would you prefer to send sensitive data?" along with "what would be on your wish list?". That allows one to ignore the question of "even if it should be sent" or "what about after it is sent". The second question was "What would be on your wishlist for the best way to send...?". That allows one to pick any method for sending. Therefore I would use (or want to use) quantum cryptography.

The question is the problem

[turbidostato]

There a lot of problems where making the proper asumptions renders the solution almost authomatically.

I'll go first for the question: How can I securely send data to someone outside the firewall? I can go through a lengthy reasonement, but I'll just say: given the fact that you need to ask for such info, don't try. Just burn it on a CD or DVD or put it on a USB stick, an external hard disk or something like this and tell the consultant come to your office and give it to her with your HR Director testifying the transaction. It'll be cost-effective and it will be the most secure way you will find: since you got off the sending phase, there's not chance to mistake it. If it's terribly valuable data, it might happen that your consultor will be suplanted, but then any problem will be for the HR Director; remember he was there.

But then, do you really think the real problem is the transit? What if somebody hacks your consultor's PC? What if she's a villaine and just sells your data to the Russian mafia? That's the real problem. And once you have spotted the real problem, the answer rises by itself: Don't give your consultant the data! It's so easy it almost hurts.

Your company doesn't need a consultor to move your data from the old app to the new. Your company needs a consultor to write a program that will automatically migrate the data. But then, how will the consultor write the program without access to the real data? It can surely be corner-cases, exceptions... You need to provide her with "shaked" data: you just need to take the real data and randomly reorder the columns, then pass it to the programmer to test his program against it.

So, if your data is:
John Doe|123456|57 Some Street
Abe Avellin|789012|42 God's answer
Bob Bukowsky|345678|101 Nowhere's Lane

Your consultor will work against:
John Doe|789012|57 Some Street
Bob Bukowsky|345678|101 Nowhere's Lane
Abe Avellin|123456|42 God's answer

Any data nuisance is guaranteed to still be there, but the consultor will never put his hands on significative data (there's no Abe Avellin living in 42 God's answer with SSN 123456). Your consultor will never be able to reconstruct the deshuffled data but even then, if you still have any scrupples, you can shuffle the data even within any single register so "John Doe" becomes "oJDnh oe", etc.

Secure SSNs?

I'm starting to consider my SSN public information. As of late it seems like any person that gives me money has to have a copy of it to file with the IRS. And who knows if they keep a copy of the form around, much what the IRS does with it.

It really is open an open secret.

Easy

Thumb drive in a condom, stuffed up the ass.

Better yet, make the consultants work on your site and watch them while they're there.

Not PGP

[einhverfr]

with something like this, I would think X.509 would be a better match. This allows you better options for verification than you get with PGP.

Usually I use GPG for similar things but I have it set up with the client before-hand and do an in-person exchange of keys. This is still not as good as you can get with X.509.

Re:PGP -- step three revealed!

[OldManAndTheC++]

step 3 is: 'apply copious amounts of lubricant'.

Um...where exactly is this rail gun????

kneecapping time

What the last three said.

Your HR Director should be kneecapped for even thinking of sending passwords offsite.

Unless... you're moving your infrastructure to another location (e.g. you'll be using a web-based HR system hosted by a third party), and the CONsultant is physically located inside that trust zone. In which case PGP it onto a DVD or tape, then courier it to the CONsultant. If you need to do this several times to include updates just regard the cost of the courier as the cost of reasonable confidence in privacy.

If the CONsultant needs to do a system test with realistic data, send them a batch of data created by extracting the real data then mangling and substituting random values for the real values.

If, as is moderately likely, your HR director forces you to do something flakey show them this topic, and if they still insist follow 'Secure in layers' by 'thomas (132075)': ignore 'shumacher (199043)' as he's talking about frequently sending to a large number of people: if the consultant doesn't understand your worries follow 'Jerf (17166)'.

Use the Phone?

If you are comfortable with the consultant having that data, and it is as simple as you state, then use the phone. Unless you think your phone lines are tapped, but the liklihood of that is far lower than the risk to which you're exposing yourself by transmiting the data electronically.

The Best.

Skybuck's UDP File Transfer ;)

Oh yeah =D

Value of the Data, Related Comments

[rhkramer]

Sorry, I haven't read all the comments here--some of the following are based on other comments, some are not (or not based on comments I read).

      * First, I'd start with estimating the value of the data, or the cost of losing the data, or having a malicious 3rd party obtain the data.

      * If that is a great deal, I'd consider not letting a contractor work on the data offsite, but instead insist on one of the following:

            * The contractor work on site, under security procedures established specifically for this work

            * If you need a contractor to develop the procedures to import the data to the new package, give her a sample (invalid) dataset and let her develop the procedures on that. She should provide a set of tests to confirm the procedures work properly, but you should have your own additional testing to confirm that the sample dataset hasn't missed any corner cases.

            * Or, you may need the contractor to teach an "inside" employee how to import the data, with the contractor at "arms length" from the data. (Of course, this begs the question (in the UK sense) of how to make sure the inside employee (and your inside data security procedures) are adequate.

            * I don't know how well bonding works, but if I did let the data offsite, I'd have the contractor post a gigantic bond, appropriate to the cost of data loss. (An issue here is how long the bond stays in effect--ideally it should be until the data loses it's value due to "attrition" (of whatever sort) over time.)

Another miscellaneous note--the idea that decryption takes a long time is based on averages (or whatever)--there is a chance that an attacker will guess the key on an early try. If I was an attacker, and the data was valuable enough, I might set an automated cracker to work on it on the off chance that I might get lucky.

the most secure way is-

[vuffi_raa]

hand delivered in a sealed lockbox- that's how we transfer confidential data at work

Data stripes to courier

[nobuddy]

Take the entire fileset and encrypt the hell out of it. Then take the RAID3 approach, without redundancy. calculate the parity stripes out of the data. send one parity set on one disk via courier 1, the other parity set on another disk via courier 2. if either disk is intercepted, it is useless without it's counterpart. Even if both are intercepted somehow, they still have to figure out what all those ones and zero's mean, reconstruct the fileset, then deal with the encryption.

Digital Security

[E6Yut!]

I would use a combination of digital certificates and encryption.