The Enigma Machine and modern day security

During World War II, the Enigma machine was used to send secret messages within the military. It had a combinatorial strength of 150 million million million to one. It was unbreakable and British Intelligence would have had no easy task in unravelling its secrets. However, the Poles had broken the cipher in 1932 when the machine was undergoing trials, and at that time the cipher was changed just once a month as compared to wartime when it was changed once every day.

Enigma Machine at Thales Stand at InfoSec 2012

Enigma Machine on display at the Thales Stand at Infosecurity Europe 2012

However, in 1939 the Poles passed on their knowledge to the British who were able to exploit this information, led by Alan Turing at Bletchley Park. While this was useful it was not enough to help the code-breaking effort in large volumes (changing cipher).

Another important breakthrough was the capture of U-33 a submarine in February 1940, this gave the British access to the rotors (in haste one of the German navy men forgot to dispose of it and kept it in his pants), and the regulations for sending coded messages. U-110 captured in a daring raid (made famous by the fictional movie U-57), provided the British with another Enigma machine and codebooks. Errors in messages sent by lazy, tired or stressed operators further helped the code-breaking effort.

Over the years we have developed sophisticated systems such as access control, complex passwords, physical access security and so on. But how many take this really really seriously? Looking at parallels between the ENIGMA and our current environment

1. Secure Installation
During setup and installation of data-centres, have the default passwords changed to a more difficult hard-to-guess(impossible-to-guess) password, applicable to all software, operating systems, network equipment, or have we just changed the password to a standard phrase which is known throughout the enterprise and across all clients (in case we are working with several clients). Have we changed the default password on our smartphone?

2. Secure passwords
Do we use just one password for all our email accounts, work, jobsites, social media and so on? Or do we save our passwords in our email account? Or on a scrap of paper? Or in a text file on our computer that read ‘Passwords’. What is our definition of a strong password? Do we change our password often? If so how often? Are we plain careless? or ignorant? Do we send credentials in one single text messages/email rather than separate channels?

3. Secure disposal
How many of us securely destroy confidential documents bearing identifiable information such as our name, address, phone number, credit card numbers? Do we just give away our cellphone with all the data in it in an exchange offer? Have we sold off our old PC with the hard-disk? Do we know who has access to our waste-paper basket?

4. Eavesdropping
How many times have we heard confidential information/passwords in public transport?

5. Loss of equipment
Do we take care NOT to lose our electronic devices in public places? I’m sure that there are surveys of items lost: USB drives, portable Hard-disks, smartphones. (More on this in my next post…)

Further reading

A nice simulator for the ENIGMA machine can be found here:

Incidentally, it is The Alan Turing Year