The Elephant in the Room … Office 365?

We are rather like zombies with Microsoft Office. It’s been with us for years, and we can’t let it go. It’s our IT friend. But it hasn’t…

The Elephant in the Room … Office 365?

We are rather like zombies with Microsoft Office. It’s been with us for years, and we can’t let it go. It’s our IT friend. But it hasn’t really ever entered the 21st Century. The package we see now wouldn’t differ much from the one from the 1990s. So as the world takes security serious, Office has always struggled to properly got involved with all that document signing, multi-factor authentication, and email signing stuff.

For proper academic work, LaTeX overtook Word a long time ago, and it just gets better by the day. I can tell a LaTeX produced PhD thesis/research paper from a Word-produced one from a mile away. The lack of the integration of the proper mark up of equations in Word has always been one of the greatest weaknesses in Office, and it still is.

My advice to PhD students is to avoid Microsoft Office, and use a proper document layout system such as LaTeX. And for collaboration go for Overleaf. In Overleaf, there is no “Save” option (it just does it for you), and you can swap your templates in an instance, without all those horrible Word-based templates. Do you really want your thesis to look like it was designed by a local Web design company?

Introduction

What an untrustworthy information age we live in! The information age we live in is basically much the same as it was in the 20th Century. Okay, we have moved to the Cloud, but it’s still the same old insecure infrastructure that we’ve been using for decades.

And don’t you just feel underwhelmed by Office 365? We all have it, and it’s almost part of our lives. When we use spreadsheets or documents, we just assume that others will also be using Office. But do you also feel that there’s a whole lot missing from Office, and the big whole is security? With GDPR coming along, we must make sure that we protect all of our documents (not just those which related to citizen data, but also all our other documents which might release some sensitive information).

Whatever happened to digital signing?

But when was the last time you protected a Word document or an Excel spreadsheet? When was the last time you sent an encrypted email that was signed by you? And when was the last time you could actually verify that the email you received was actually from the person on the address bar? Basically, Office 365 has virtually little security build into it, and leaves it to the organisation to build it.

The integration of encryption, digital certificates and the signing of documents and messages in Office has never really happened, and we often rely on third-party plug-ins which will always struggle to scale. Overall there has never really been a drive from Microsoft on this … there were no big messages from them to say that they were now encrypting all documents by default. Basically, we have all been happy with Office since it was Word 6.0, and just love the compatibility that it brings.

The fixed the communication issue by using SSL, but where the encryption only covers the machine-to-machine transfer. The fix for documents was just to encrypt the disk, but where we open-up all of the documents if the disk can be decrypted, or where they leave the encrypted drive. Why can’t we still encrypt and sign documents by default? What’s the sticking point?

So where is the largest security hole in organisations? … Their email infrastructure, as most of it is open to a large-scale data breach, and where an insider could walk out of the company with every single email that was ever sent and received, on an SD Card that could fit on the end of your little finger. How much is that data worth to an intruder?

The RFCs

In 1982, after the classics of IP and TCP, came Simple Mail Transfer Protocol (SMTP) with RFC 821 and then, in 1992, we saw the standardisation of POP-3 (https://tools.ietf.org/html/rfc1725), and two years later with IMAP 4 (http://tools.ietf.org/html/rfc1731).

Since then little has really changed, with tunnelling being developed with SMTPs, IMAPs, and POP3s, and where the transmission of the email is protected. Once the email is out of the tunnel, it is unprotected, and can be read by anyone with administrator access. Today, too, we still receive spam emails from users pretending to be someone else, and where our emails are open to those with administrative access to our email. Very little in email can be trusted, as it can be easily modified and read by those who were not meant to access it.

PGP (Pretty Good Privacy)

Phil Zimmerman came up with the best way to achieve both the signing of an email and to preserve the privacy with PGP:

With PGP, we sign a hash of the message with our private key, so that the other side can check the sender (and that the message hasn’t been changed). We then create a new encryption key for every message, and then just need to encrypt this key with the other side’s public key. The receiver then receives the message, and decrypts the email encryption key with her private key, and reads the message. After this she takes a hash of the message, and then decrypts the encrypted hash with Bob’s public key, and checks the result. If the values match, she has proven the sender and that the message hasn’t been changed …

So what has gone wrong? Well, we haven’t found a method where users can easily register their public keys, and for software to support the proper signing of email. Microsoft Exchange has never really properly supported signing and encryption, and it is left to third-party plug-ins, which aren’t easy to use.

So, do you have a public key that you publicise? Here is my public key:

http://asecuritysite.com/encryption/pgp1

If you’re interested in how to create one and encrypt data, here is a tutorial in using PGP:

http://asecuritysite.com/public/csn11123_lab08.pdf

For many, though, especially governments, the use of public keys for email is something that scares a whole lot of people [Here].

Conclusion

So ask yourself …

  • Why can’t I sign my emails with a proper signature?
  • Why aren’t my documents encrypted by default, and where can I define who is allowed access to them?
  • Why can’t I define ownership of a document?
  • If someone gains access to my emails on a server, will they be able to read them?
  • Why do I have to press “Save” to save a document?
  • Why can’t more than one person work on the same document at a time?
  • Why can’t I apply multi-factor authentication onto a document?
  • Why can’t I do proper LaTeX maths?

Office lacks innovation, and needs a push.