Wednesday, January 14, 2015

Weekly Deep Dive: Germany may Secure Communications with Typewriters

This story sat in my draft folder as my human offspring, wife's writing career, shellshock, and poodle consumed my life. I think this story is still an interesting blend of old and new security issues that is worth posting.

This story originally broke in July of 2014.

Miss Germany could not be reached
for comment on this story.
Multiple stories detailed a German parliamentary committee that examined ways to address NSA spying within Germany. One of the options discussed: switching to mechanical typewriters. You read that correctly, not just typewriters, but mechanical typewriters. The fear is electronic typewriters may prove to have some ability to be monitored.

I adore this: low tech foiling of high tech espionage. Billions of dollars in state-of-the-art monitoring brought down by the humble mechanical typewriter.

The German committee already uses encrypted emails, secure electronic communications, and places their phones in a metal box when convened to prevent eavesdropping.

Would creating documents on a mechanical typewriter really stop the interception of communications? What precautions should the German Parliament take if they use mechanical typewriters?

Are you a security professional working for a law firm or financial institution that still uses electric typewriters? If so, this discussion could applicable to you. Anything used to create and store information falls into the domain of the information security professional and must be protected.

After the jump we will discuss how typewriters relate to the CIA triad along with ways mechanical typewriters could be monitored. We will also cover how you can create controls to protect typewriters and the documents made on them. 

Using mechanical typewriters as a security solution is a very interesting proposition for high level communications between German officials. Germany is clearly no stranger to using mechanical devices for creating and encrypting communications. The Enigma machine was a work of engineering and communication genius for its age. Though not completely mechanical (it was electro-mechanical) it was the key to keeping German secrets out of prying eyes for years before the encryption it used was broken.

A device like the Enigma machine would not be practical now. Modern computers could break almost any code created using a mechanical system. (Not talking about PADs here, you crazy crypto kids.)

The OSS (precursor to the CIA) had protocols to protect information created on manual typewriters. Germany better dust off their old school espionage manuals. Reviewing the old typewriter protection protocols may not be enough. New tools can use nearby smartphones sensors to detect what people are typing via vibration and sound.

Based on this, do mechanical type writers make sense now to provide better information security?

The answer: it depends on what you want. If you want to make a political statement, bravo, job done. If you want to provide actual security there are benefits and detractors to mechanical typewriters. We will look at a few of the pro and cons of using typewriters as seen through the CIA triad (Confidentiality, Integrity, and Accessibility).


My basic feeling on
the effectiveness of
administrative controls.
  • CON - Logging is nice. Technical controls that can tell who accessed and viewed a document are nicer. With paper you don't get that level of logging and protection. At best you may have someone in a records room that signs documents in and out. They may be a trusted individual. However, there is no technical control that creates a record of who viewed what document and when. You must rely on the physical controls around your records room and the custodian of those documents following your administrative controls. A Google search for "crime story inside job" will give you no shortage of reasons why human controls cannot be trusted. 
  • CON - There are no real technical controls to keep unauthorized parties from viewing sensitive information. Administrative controls related to data classifications must be respected by the people viewing them. The thing is, even if administrative controls are violated, who would know? This clip from the UK version of House of Cards perfectly explains the problem. (Jump to 18:15 ending at 21:00 if the link doesn't do it for you.) The answer is: you avert your eyes. Clearly, that is the solution. 
  • PRO - Destruction can be a pro for confidentiality. However, the process for legal discovery is really the pro here. An organization with loads of information on paper can show a process that destroys documents that are no longer legally required to be kept and have that process audited. If the requested documents fall within the process it can be assumed they are gone and cannot be produced. However, paper documents have a big con for destruction as well. More on that in a moment.

  • PRO - Integrity is actually less of an issue with typewritten documents than their electronic counterparts. Forging digital documents is easy. Forging mechanically created type-written documents (when coupled with a trusted courier) is no small feat. Simply lifting the ink does no good as the impact from the typewriter will leave an indelible mark. Forensic auditors have culminated literally millennia of experience spotting physical forgeries. Digital forgery is a new field relatively speaking. Modifying a letter is certainly not out of the question, but adds severe challenges. The difficulty is high as it requires possession of the letter for a long enough time to recreate it without alerting a courier that the letter was gone.
  • CON - Non-repudiation will be an issue. A typewritten document does not offer the mathematical assurances of a Public Key Infrastructure. The lack of built-in document authenticity is a serious detractor.
  • CON - The documents will be very difficult to easily access by multiple officials without making multiple copies. This on its own decreases the overall security by increasing the possibility one copy could be seen by unauthorized viewers. Secure couriers and chain of custody procedures can help ensure security. However, any one with physical access to the document could make an unauthorized copy.
Nuke the document from orbit...
  • CON - Destruction is always an issue. How can you be sure all the copies were destroyed? You can't. You can shred them, burn them, or dip them in acid, but you can never be certain every physical copied was destroyed. Did the clerk make five copies or ten? Did someone take a photograph of the document? You will never know, because you can never be truly sure who had access to the document. Quantum Cryptography attempts to address this by rendering information  unreadable if an an authorized party intercepts a file. If you want to melt your brain a little read more about the quantum cryptography here. If you would like an ELI5 version PBS NOVA has a short video here. I think it's safe to say there won't be a quantum cryptography module for typewriters any time soon.
  • PRO - Document requests and sunshine laws are a real pain for large institutions. The Freedom of Information Act (FOIA) allows citizens in the United States to request information from their government. The German government has something similar to FOIA. The Germans call it "Informationsfreiheitsgesetze". The lovely thing for governments about complying with these types of laws is it's almost always better to over comply then under comply. If all your records are on paper there is no reasonable way to be certain you have fulfilled the request without sending EVERYTHING that may be related. You may receive boxes and boxes and truckloads and truckloads of documents that look like this. If you want to keep something secret often too much information is just as good as no information. Especially if the information is contained in piles of paper that can't be efficiently searched.
After reading all of this what is the conclusion? Well, there isn't one. The German government will need to weigh the risks vs. the rewards of this method. The German Parliament can decide if mechanical typewriters really work for them or if they are just security theater with an opening act of political drama.

If you as a security professional have typewriters in your environment you will need to come up with  controls to protect documents created on these devices. These controls are the same type the German government should consider if they decide to move to typewriters from communications.


What can German officials or an information security professional do to further protect hard copy documents created on a typewriter?

Destroy the Ribbons
  • For both electric and mechanical typewriters the ribbons are a running character steam of everything written on the device.  
  • The ribbons can be destroyed easily through shredding, but as discussed earlier, shredding is not 100% fool proof. Especially when the information is of such a value that no expense would be spared to recover it. The good news here. It's unlikely someone copied a ribbon cable. It's also unlikely the same data is duplicated on two ribbon cables.
  • There are companies that make typewriter ribbon cable readers. The data is not difficult to recover. Simply throwing them out and hoping for the best is likely not an option.
  • Destroy the ribbons completely using an industrial shredder designed for the task.
Rotate then Destroy the Typewriters
  • Typewrtters create a "fingerprint" that can be used to identify documents. This fingerprint can be used to identify a specific typewriter. If many tantalizing documents come from one typewriter that device becomes a high value target (HVT). By rotating the typewriters through an office or agency it makes linking certain documents to a specific typewriter more difficult. Users are unlikely to consistently create the same type of documents across departments or office buildings.
  • Destroy the typewriters once their service is no longer required. This should be part of your asset disposal process. Proper destruction removes any possibility of new or advanced forensic espionage.
Secure Couriers and Diplomatic Pouches
  • Secure courier was the choice of Kings and Diplomats since the idea of sending a protected message was thought necessary. Choose a courier that is well known, trusted, and consistently audited. For nation states protecting a message via diplomatic pouch has many advantages
  • Couriers should also undergo job rotation to ensure they never have the opportunity to develop relationships that allow for collusion.

High Security Envelopes and Paper
  • Use high security paper for important documents. This paper can be used on a typewriter and is specifically designed to limit alteration or forgery. Access to this paper should be tightly controlled to prevent misuse. 
  • Tamper evident and high security envelopes alert the recipient when contents may have been viewed. These envelopes also ensure the contents of the envelopes are difficult to view without affecting the tamper resistant seals.

Secure Rooms
  • Rooms that typewriters are used in should have adequate and auditable security controls for physical access.
  • Radio signal in and out should be completely blocked. If the typewriters are electric they could have key loggers installed that broadcast information typed to interested parties. Blocking radio signal and disconnecting any devices in the room from network capabilities should be required. 
  • Mobile phones should be banned. Sophisticated attacks allow the sensors on phones to be used to determine what is typed. By determining the model of the typewriter using fingerprinting a mobile phone could be used to intercept information based on the sound and vibration of the typewriter.
Should the German government go to this extreme to protect their data? Would it actually make a difference in their communication security? Using a typewriter for secure communications isn't necessarily more secure, it's just secure in different ways. Every method of communication has security strengths and weaknesses.

The German government will need to examine their options and determine what's best for their needs. As a security professional you should take all the ideas and options written here and weigh them against your security posture. If you have typewriters in your environment are you doing everything you can to protect and handle sensitive data properly? Review the above and ask yourself if any of listed recommendations could make your sensitive paper based or typewritten documents safer. This critical thinking is often the difference between real security and security theater.

No comments:

Post a Comment