Daily Archives: March 2, 2016

Encrypt or not to encrypt?

Posted on March 2, 2016 | Leave a comment

encryption-debate_Tresorit_Istvan-Lam08Overview of and comments on backdoors, frontdoors and the debate about it

To me, privacy means that I can decide to keep my data private, and neither an NSA or government agent, nor a Facebook/Dropbox/Google employee can see what is in there, if I don’t want it. This concept of privacy is not compatible with any kind of ‘doors’ – front, back or other – to user data.

Since UK Prime Minister David Cameron suggested earlier this year to ban encryption, policy debates intensified in the US, EU, UK and elsewhere about back- or frontdoors built into encryption systems. Certain parties argue that they need front- or backdoors to access tech companies’ data, to prevent and fight criminal activity. But both backdoors and frontdoors violate end user privacy and if that wouldn’t be enough reason against these doors, they also undermine the world’s overall cybersecurity. Let’s see why.

What are frontdoors and backdoors? – definition and examples

First, let’s get two expressions straight: what is a backdoor and what is a frontdoor.

A backdoor is a covert way to provide an entity with a higher level access to a system than what it should normally have. A backdoor is usually hidden as random security bug, but instead of being an accidental mistake, it is planted intentionally. The key thing is that backdoor is hidden, even from the system operator, which makes them uncontrollable and hence, dangerous. Someone who is not supposed to do so, can exploit them.

A frontdoor is a way to give higher access to a system, but it in a way that it is known to the participants or at least by the system operator. It is also assured, that only that entity can use the frontdoor. This is like a master key in a hotel for the maid.

Snowden uncovered several secret operations of the NSA, and that started the current debate on encryption backdoors and frontdoors. NSA director Michael S. Rogers is argues for “front doors with a big lock”, meaning that in case of an investigation, the FBI or other authorities should have a legal and technical way, to access encrypted content. Washington Post created a graphic about the proposal – basically, White House is considering two platforms, one where the authorities can recover encrypted data using a key escrow, and another, where the recovery key is split between platform vendor and the authority. In my view, neither of the proposed options provides sufficient solution. Especially, that they do not guarantee non-US citizens, that they are not monitored by (for them) a foreign government.

If you are new to the security industry, this debate might sound new, but the NSA has a long track record: Der Spiegel reported in 1996 that a swiss national pride, Crypto AG placed backdoors in their renowned crypto machines, due to pressure from the NSA. Another, more recent example is the SP 800-90A standard proposal: researchers suspected that the NSA might have included a backdoor in one of the newly standardized pseudo random generator (namely, Dual_EC-DRBG) . This backdoor could’ve enabled the NSA to monitor anybody, regardless of their citizenship or if they are using a strong encryption algorithm or not.

Also, we should not forget to mention the Gemalto SIM encryption key database hack: a joint effort by the NSA and the British GCHQ. To understand why this action is controversial, we need to understand how the GSM (and 4G/3G) network works. The SIM card stores a symmetric encryption key, which is used to encrypt the traffic in the air. Due to the nature of symmetric ciphers, the same key need to be used to decrypt the content by the GSM core network. For that reason, the SIM keys are stored in a secure, central database, called Home Location Register, or HLR. HLRs are under the jurisdiction of the geolocal authority. That means, the NSA already had a sort of control over the domestic encryption keys, as a default. But then why did they need to hack a respected vendor? Because it enabled them to get any user’s data, without leaving a single mark. The former was actually admitted by General Keith Alexander in his keynote speech at Black Hat conference in 2013, while he denied any covert domestic content monitoring.

These things all undermine the credibility of intelligence agencies, and in general, triggers sometime unfounded suspicion. Not all secret operations are necessarily evil: after DES was introduced by IBM in the early 1970s, which later became the predominant block cipher in the industry, NSA tweaked its structure. NSA lowered the key size, and changed the deep structure (the S-boxes) of it without explanation. Many believed that NSA planted some backdoors, but it turned out later, that the change actually increased the security of DES: NSA already discovered possible attacks, and prepared against it.

All in all, backdoors in crypto systems are not recent inventions, we have seen several suspicious activities by government agencies throughout the past decades. Let me explain why backdoors and frontdoors are bad.

Why backdoors and frontdoors are bad? – the objective technical reasons

It’s not only ethical, philosophical and political problems that are involved with backdoors and frontdoors. There are also several technical reasons why it is extremely difficult to accomplish exceptional governmental access, without insecuring the whole Internet. A recent MIT report by respected security scientists mentions quite a few challenges that a general governmental “frontdoor” would have to face. They state that introducing any frontdoors to encryption systems in rush could lead to a disaster without proper specification and proper system design.

Our world increasingly relies on a trustworthy connection through the internet: individuals and business are banking online, companies transfer crucial business data through this network, governments communicate with their citizens online and so on. Due to this high economic dependence, we need to protect whatever goes through. The Internet could become so widespread, because it adapted to the arising security challenges step by step. Frontdoors and backdoors would undermine its security and would zero the work has been done so far.

There are 4 main technical issues with backdoors and frontdoors:
1.New protocols: The installation of frontdoors & backdoors requires complete new security protocols, new research and development
2.Non-immune governmental agencies: Government agencies are not immune to attacks. Imagine the risk of a terrorist hacking a government agency and gaining access to all data about the US population.
3.National governments versus global citizens: In our globalized world, who would decide which government has the frontdoor?
4.High costs and uncertain results: A system that provides governmental frontdoors is complex and expensive. Who will take the bill of that cost?

1.New protocols: The installation of frontdoors & backdoors requires complete new security protocols, new research and development. The current security systems have been designed in a way that there is no exceptional access in the system. And more or less, they have been functioning OK so far. Forward secrecy is a good example: without this solution if any time in the future any party is compromised, all traffic could be decrypted. Current security protocols are not the best, but with backdoors, most of the accomplishments, like forward security, would be ruined. Also, a new protocol that includes frontdoors needs to be analyzed thoroughly before implementation – it may take years. We’ve seen that most ad-hoc, non-analyzed protocols were cracked later on, just remember WEP, the Wi-Fi encryption.
2.Non-immune governmental agencies: The assumption that a governmental agency is unhackable or not vulnerable is naïve, and proven to be wrong. Its employees are humans too: they can quit, gossip, can be bribed or worse. Just think about Snowden: he walked away with a bunch of classified information. A few years ago, John Anthony Walker, a US officer was convicted of spying for the Soviet Union for almost 20 years: between 1968 and 1985. No organization is unhackable: embarrassingly, even Hacking Team, a government supplier of surveillance and tracking software was hacked in 2015. Damages can be major: in the recent breach of the US Office of Personnel Management, 21.5M social security numbers of government personnel were leaked. If some organization had a frontdoor to all the communication over the internet, a breach would mean a breach of the entire Internet – a breach nobody saw before.
3.National governments versus global citizens: In our globalized world, who would decide which government has access to users’ data? Or is this only a privilege of the NSA? If the NSA has access to users’ data, wouldn’t China or Russia have the right to claim the same? If you are a US citizen , who is working on a project in Europe, should the European government has access to all your personal data? And what if you are working in China or Russia? And what if you are not just in Europe for a short project, you are actually living there as an expat? If you say no to any of those questions, then why should US government have right to access to any foreign citizen’s data? I know these are provocative questions. But in our globalized world, people are working, buying and living in multiple countries. International trading could be completely killed by introducing frontdoor requirements on country level: a US company with factories in Pakistan, suppliers in China and retailers in the EU would have to trust all those governments, because if backdoors and frontdoors were implanted, they would all have the rights to access their confidential business data. .
4.High costs and uncertain results: Digital Right Management (DRM) systems are good examples for how a key management at a global scale can go wrong. Hollywood and the publishing industry has been trying to introduce a proper Digital Right Management platform to prevent piracy, without a breakthrough yet. The similarities between DRM and the frontdoors are the following:
•Both require complex cryptographic key management, as the content in DRM is encrypted or at least scrambled a bit.
•Key management needs to have a global scale, without any exception: if a title is published without DRM in a small number, it can make pirates to copy and distribute that exception.
•The key management is actually implemented by vendors, who are not having interest to make it right; e.g. a DVD player vendor is not incentivized by properly protecting the DRM key. At the same time, those vendors are under serious competitive cost pressure.

Despite the billions of dollars and many years of research, all DRM systems has been cracked so far, just think about DVD: pirates have found the weaknesses and the way around. In case of any frontdoor technique the stakes are much-much higher, so it would be really motivating to many criminal hackers. We also have less experience to defend these systems than in case of DRM, so any leak can be disastrous to all industries, not just “some” revenue loss for the publishing industry.

Conclusion:

So the answer to the question in the title is “yes, let’s encrypt”. I think encryption is crucial from multiple perspectives: security is important for the Internet ecosystem, and weakening that security can be a complete backfire for our freedom, economy and personal security. Also, any backdoor and frontdoor plans raise political, philosophical and ethical questions which leads to a debate, that I think no one wants to take on. Legislative authorities try to address to these new issues, but if different countries take a different direction to this, it will undermine the potential growth of the global economy and the Internet ecosystem.

Leave a comment

Posted in Big Data, Cyber Security, eDiscovery, Encryption, Security

The 5 Biggest Cybersecurity Risks for Small and Medium Businesses

Posted on March 2, 2016 | 1 comment

Cyber_Security

Cases of data breaches from major corporations around the world are becoming more and more frequent, much to the dismay of business owners all over the world. Every few weeks, there is a report about a big corporation’s data being leaked on some website, causing the company huge monetary losses as well as irreparable damage to reputation.

Although the alarming frequency of such high-profile data breaches would lead one to believe that the hackers must really have it in for large business owners, the fact still remains that small and medium business owners are just as susceptible to data breaches, if not more. Even if small and medium businesses realize that they are under threat as well, they might wrongly think that they would need to spend a large amount of money to keep the threat at bay.

The reality is anything but this. The major factor that decides whether you fall victim to such attacks is your level of negligence. Therefore, this article aims to make you aware about the 5 biggest threats your business might face.




The 5 biggest threats

1. Stolen laptops and mobiles
It is astonishing how much data is stolen or compromised when the devices used by employees are stolen. The one who has access to the systems can access the company data and use it as he or she wishes. Therefore, it is absolutely essential for businesses to encrypt all data that is transferred on portable device of an employee. This would ensure that the data remains protected in the event that the device is stolen.
2. Unsecured Internet Networks
This is a blatant overlooking of your business’s security. Wireless networks are used by all businesses, and even small businesses today require off-shore and remote employees to access corporate data from elsewhere. Therefore, having a secure network is important to prevent unauthorized personnel from entering your network and causing problems.
3. Spear Phishing
This is another term for email scams. Email scams are one of the oldest tricks of the trade of gaining access to a user’s system. Hackers quite often send such tampered emails to all employees of a company in hopes that one of them falls for it. These attacks spread like fire, so if one employee system is affected, the entire network could be done soon enough. This is something employees should keep an eye out for as well, for such emails are usually simple to spot.
4. Malware
Malware is any code that has malicious intentions and has the capability to cause serious problems in your system. Malware are of different types, but they can be warded off by keeping a good anti-virus and anti-malware software on hand. It is also important to regularly update your anti-virus.
5. Insider Threats
This is something that is not always the case but is always a possibility. An employee holding a grudge against your company might take things further by mishandling your sensitive corporate data. To prevent such a thing from happening, make sure employees have differing access to corporate data according to their rank in your company. It is also wise to record the activity of all employees, big or small, to know if something is amiss.
Conclusion
We saw in this article how small and medium businesses can be targeted. The amount of money to be spent on security systems is by no means huge. All it takes is a little background knowledge to invest right in opposition to investing big.

1 Comment

Posted in Cyber Security, Encryption, Hacking, Malware, Security

Tagged , , , ,

This is What the Public Really Thinks About FBI vs. Apple

Posted on March 2, 2016 | 1 comment

Apple_FBI

DOJ v. Data Encryption – Public Perception and Communications Lessons

The heated dispute between Apple and the U.S. Department of Justice (DOJ) over the iPhone used by Syed Rizwan Farook before the San Bernardino, California, mass shooting has captured attention across America and the world. While this debate now focuses on one company’s decision, the implications go well beyond the mobile sector and even the whole technology industry. Companies and other organizations of all kinds responsible for managing personal data are concerned and need to be prepared to deal with the controversy’s impact.




To help deepen understanding about this complex issue, Burson-Marsteller, with their sister research firm Penn Schoen Berland, conducted a national opinion survey from February 23-24, 2016. The survey polled 500 General Population respondents (including 230 iPhone users) and 100 National Elites (individuals earning more than $100,000 per year who have college degrees and follow the news), and the results reveal critical communications issues around the fundamental conflict between privacy on the one hand and national security and safety on the other. Here are the key takeaways:

  • Overall awareness is high. Eighty-two percent of the General Population and 88 percent of National Elites have heard about the dispute. The news has gone viral, with people tweeting and posting on Facebook about it and commenting extensively online about news articles.
  •  The FBI should have access to one phone, not all phones. Respondents say the government should not be given a tool that potentially gives it access to all iPhones. Sixty-three percent of the General Population and 57 percent of National Elites say Apple should only provide the FBI with the data from the phone in question, and the tools to do it should never leave Apple’s premises. It is clear the public wants this decided on a case-by-case basis, and respondents do not trust law enforcement and national security agencies to self-police and protect privacy.
  •  The public expects companies to push back if there is the potential to violate privacy. Respondents say they want companies to protect the privacy of their data fully, even when the government is requesting data in the name of law enforcement or national security. A majority (64 percent of the General Population and 59 percent of Elites) says a company’s top obligation is to protect its customers’ data rather than cooperating with law enforcement or national security interests. However, most (69 percent of the General Population and 63 percent of Elites) see the need to compromise on privacy when terrorist threats are involved.
  • How the issue is framed determines public opinion. If the issue is framed as the FBI asking for access to this one phone, 63 percent of the General Population and 57 percent of Elites agree with the FBI position. If the issue is framed as potentially giving the FBI and other government agencies access to all iPhones, Apple’s position prevails overwhelmingly; 83 percent of the General Population and 78 percent of Elites agree Apple should either only grant access to the particular iPhone or refuse the request entirely.
  • Current laws are outdated. This situation reflects a much broader debate about privacy and security that will need to be resolved. About half (46 percent of the General Population and 52 percent of Elites) say current laws are outdated and need to be revised to reflect the changing role of technology in today’s society.

Regardless of the outcome of this current dispute, there is no question it is raising alarms about the state of data privacy. In the aftermath, companies will have to pay increasing attention to the expectations of their customers and consumers. The survey showed people are overwhelmingly concerned with the security and privacy of their digital data, with 90 percent of the General Population and 96 percent of National Elites saying they are very or somewhat concerned about the security and privacy of their personal information online or on their personal electronic devices. The Apple/DOJ dispute appears to be a turning point for all organizations trying to balance the demands of data privacy with national security and law enforcement considerations. The pressures on them are only going to grow.

 

1 Comment

Posted in Cyber Security, eDiscovery, Encryption, Forensic, Law Enforcement, Security, Technology

Tagged , , ,

Data Breach at UC Berkeley Impacts 80,000

Posted on March 2, 2016 | 1 comment

It’s a New Year !!!

computerkeyboard450

Roughly 80,000 people might have been impacted by cyber attack that hit a UC Berkeley system containing Social Security and bank account numbers, the university warns.

UC Berkeley officials are sending alert notices to current and former faculty, staff, students and vendors after discovering that one of the university’s systems had been breached, but say that there’s no evidence that any personal information has been accessed, acquired, or used following the attack.

However, the university has decided to inform users who are possibly impacted by the breach to stay alert on any misuse of their information and to enroll into a credit protection service the campus is offering free of charge.

Authorities, including the FBI, have already been notified about the incident.

According to a post from Janet Gilmore, Public affairs at UC Berkeley, the attack occurred in late December 2015, when an unauthorized user gained access to portions of computers that are part of the Berkeley Financial System (BFS). The attacker(s) leveraged a security vulnerability that UC Berkeley was in the process of patching, Gilmore states.

The blog post explains that the BFS is a software application used for the management of financial operations such as purchasing and most non-salary payments. Of the 80,000 potentially impacted people, 57,000 are current and former students, about 18,800 are former and current employees, including student workers, and 10,300 are vendors who do business with the campus.

Due to the fact that some individuals belong into more than one category, the breach impacted more than 80,000 entries, and Gilmore explains that this includes approximately 50 percent of current students and 65 percent of active employees. She also explains that many of the people impacted by the breach include individuals who received payments from UC Berkeley through electronic fund transfers.

“For students, this often involved financial aid awards that they elected to receive by electronic fund transfer. For many faculty and staff, this involved reimbursements, such as work-related travel reimbursements. Vendors whose Social Security numbers or personal bank account numbers were in the system in order for payment to be issued are also potentially impacted,” Gilmore says.

UC Berkeley learned of the potential unauthorized access to data within 24 hours of its occurrence, and Gilmore notes that officials took prompt action by removing all potentially impacted servers from the network, thus preventing further access to them. Furthermore, the campus hired a computer investigation firm to assist with the investigation.

Last month, University of Virginia’s HR system was breached and attackers managed to access sensitive information, including W-2s and banking details of University employees. Also in January, a hacker proclaiming allegiance to the Islamic State jihadist group infiltrated the internal network of one of China’s top universities.

1 Comment

Posted in Cyber Security, Data Breach, Hacking, Hacks, Security, Technology

Tagged , ,

Cybercrime on the Rise

Posted on March 2, 2016 | 1 comment

cybercrime-Article

Cybercrimes like data breaches are getting lots of attention these days. But does the average company need to worry about them? The answer is a resounding yes, according to a survey from PricewaterhouseCooper, which found that cybercrime has become the second most common type of economic crime.

Of the 6,000 executives across the world who participated in the survey, 38 percent reported that their organizations dealt with economic crime in the last 48 months. Cybercrime increased big time, with 32 percent reporting an incident in the last two years. That’s an 8 percent increase from a year ago. Cybercrime was up and is now the second-most-reported type of economic crime (asset misappropriation is No. 1).

Cybercrimes can cause major losses, according to the report. Of the respondents affected by cybercrime, about 15 percent reported losses of more than $1 million; 2 percent reported losses in excess of $100 million.

Despite this potential for losses, many boards of directors aren’t focusing on cybercrime. Globally, just 27 percent of boards request information about the company’s state of cyberreadiness more than once a year, the report found.

The survey, The PwC Global Economic Crime Survey 2016, is available here.

1 Comment

Posted in Cyber Security, Data Breach, Hacking, Hacks, Security, Technology

Tagged