Encryption Mythbusters

As you probably know if you’ve read any of my past articles, technophobes and fearmongers are among my least favorite people.  Whether they’re members of congress pushing their agendas or denizens of the blogosphere using it to drive more clicks, it’s despicable.  There are no technologies that are always 100% positive and given any system, any game, or any set of rules, someone will try to break it.  That’s just who we are as humans. Does this mean we should shy away from all technologies? Of course not. Should we run around like chicken little because change is coming?  Of course not. Y2K, for example, happened almost 19 years ago and somehow the world kept turning. </rant> In the past month or so I’ve seen and heard some things spouted about encryption and while I am by no means an expert in the field, here’s my $.02 on what I do know. I’m taking inspiration from Brian Krebs who recently did a great talk about security mythbusters for Google’s Security & Privacy month.  

This post is not just for technical people: it’s a discussion about what encryption is and how we can bust a few myths going around in the media.  No matter your job title, it’s always good to know the signs of bad security so that even if you can’t fix it yourself, you can throw a fit until someone else does.

FULL DISCLAIMER:  I AM NOT A SECURITY EXPERT, I AM JUST A NERD WITH A BLOG.  Please go elsewhere for security advice for systems that actually matter.  This may be a long read, but I’ve tried to make it as interesting as possible.

Encryption is the process of encoding a message or information in such a way that designated parties can access it and anyone else cannot.  This is an important definition because the first part of that is very easy. Just making something available is easy; most content on the internet is just readily available to whoever comes along.  The second part is where it gets hard. Making sure that non-authorized parties cannot access it can be extremely tricky due to the vast complexity of modern computer systems.

FIRST MYTH:  I can write my own security libraries because it’s not that hard to keep the bad guys out.

Wrong.  It’s incredibly hard and there are holes punched through industry standard libraries all the time.  That’s why there’s so many of them with new versions coming out consistently. (Also this means you need to keep your systems up to date with security patches.  Restart your laptops, folks!)

Whenever you’re doing computer security it’s important to use known and proven libraries (correctly, mind you) rather than trying to implement your own security.  There are some amazingly smart people who spend their entire lives to write common libraries for encryption so that us mortals don’t have to.  Best of all, they have funny names like 3DES, SHA1, and Blowfish that are hilarious to see people use in academic and professional settings.

Before we go any further, there’s some typical vocabulary associated with encryption:

  • Plaintext is the original unencrypted message someone is trying to send
  • Ciphertext is the encrypted message that actually gets sent
  • Encryption algorithms are the processes that you use to turn plaintext into ciphertext
  • Decryption algorithms are what you use to turn ciphertext back into plaintext
  • Secrets (also called keys) are the other inputs to the encryption and decryption algorithm.  

Some notes about these:

  • Plaintext doesn’t actually have to be words or text.  It can be images, audio/video, or any kind of files that you find on your computer.

SECOND MYTH: Encryption always has to use the strongest or most expensive methods.

This is generally false.  Depending on the use case, you can get away with using weaker encryption if it’s just good enough for what you need it to do.

To reason why that is, let’s think about it from the attacker’s side (that of an unauthorized party who wants access to the plaintext).  There are many reasons why people would want to break encryption, but the majority of them boil down to either 1) money or 2) power of some sort.  Money is the straightforward one. People hack to steal intellectual property or trade secrets all the time. Sometimes they even cut out the middleman and hack credit card numbers or bank details.  The power that I’m talking about is more nuanced. It could be governments finding information about its citizens, citizens finding information about a government, or anyone finding information that for some reason needs to stay hidden.  This is the true “opportunity cost” of trying to hack someone’s encrypted data.

Most of the time, breaking encryption costs money.  Whether it’s renting massive cloud servers to crack huge encryption keys or paying people to hack things for you, there’s a cost to hacking.  If the cost of hacking a system is greater than the monetary value of the data inside of it, then it will generally be left alone. This means that encryption only has to be good enough for the use case.  Similarly, if it takes longer than the data’s useful life to decrypt it, there’s really no point wasting the resources to crack things. Real time systems such as orbital satellites have lots of data that becomes defunct shortly after it is created and transmitted.  Similarly, if you’re a military commander and your hackers decrypt a warning message for an attack that started five hours ago, that’s not particularly useful to you.

Many people, companies, (and sadly), government organizations don’t properly understand this principle.  They opt for the highest grade of security for all communications and all interactions when really they’re just slowing themselves and their employees/developers down.  Where this really comes into play (and the reason why I decided to write this article in the first place), is when people are sitting around on social media screaming bloody murder about how quantum computers are going to break all modern encryption and the worldwide economy is going to crash and how the world will be thrown into chaos and everyone is going to die.  (Ok, that may have been a bit of an overstatement, but you get the point.  They’re just fearmongering.)

No, quantum computers will not kill us all.  Will they be able to *EVENTUALLY* crack some currently-uncrackable systems?  Yes. Does that mean the global economy is royally ****ed? Not in the slightest.  With the invent of quantum computers powerful enough to crack the leading edge security measures will come new technologies for securing our data.  There are some people even now looking into how we can make unbreakable encryption by instantly teleporting information with quantum entanglement.  There’s also theories that you could make a communication network that detects wiretaps and automatically scrambles the data using the observer effect.  But again, quantum computers are stupid expensive and they need pristine conditions to function.  This adds to the monetary value of a security solution and the monetary cost of a hack. Like I said up at the top, there are a ton of really smart people working to make sure the world keeps turning and that computer systems are safe so that you can continue watching cats fall into boxes or whatever.

Finally, let’s address the problem that has vexed system administrators and cryptographers for years: people suck.

THIRD MYTH: Computers and brilliantly designed systems alone are enough to protect us!

( Caption: xkcd.com/538 )

Unfortunately, this is the biggest myth of them all.

The weakest link is always the users.  Whether it’s writing down their password on a sticky note under the keyboard or being hit with a $5 wrench until they give up their credentials, the statement holds true.  Users are one of the first and generally one of the most consistent ways to hack a system.

Social Engineering is, according to the one and only Wikipedia, psychological manipulation of people into performing actions or divulging confidential information.  This might sound difficult, but I assure you it’s frighteningly easy.

Think of how much data about yourself there is on social media, or as we used to call it in the government to make it sound less intrusive, “open source data”.  I could just- I mean, an unlawful criminal could just go and find a few of your interests, a few of the names of your friends or family members, and maybe an event that you’re going to relating to one of them.  Once they have that, it’s not too hard to craft an email that sounds something like this:

“Hi <your name>!  

This is <friend’s name> and I’m super psyched for the <upcoming event>.  I found <a link to this amazing thing> that would <make the commute easier | get us up to the front row | get us free swag>!  I claimed my copy and all you have to do is go there and log in through facebook and then you can get one too. Go ahead and tell <name of other friend who is also going to that event> and make sure they get one too so we can <match | all sit close | etc>.

See you soon!
❤ <friend’s name>”

Maybe they could go on your friend’s wall and figure out how they sound online.  Maybe they could even find interactions between the two of you to make it sound like it really is that person messaging.   But before you know it, you’ve clicked the link to get a free tshirt (because we really are suckers for free swag), you logged into what you thought was a federated Facebook login but was actually some hacker’s personal server, and then bam.  Someone has your username and password.

The crazy thing is there are tools out there that let you clone existing websites and set up scams like this in as little as a few hours of work.  You can even do crazy things like asking people for their username and password and once they give it to you, redirecting them to the “incorrect username and password” page of the real site so they think they just mis-typed it.  The victim just enters their username-password again and they’re logged into the real site successfully without thinking twice about how they’ve just been pwned.

So what should we do about it?  That sounds impossible to protect against!

Well, like I said, it’s impossible to protect against everything.  Even the best users get tired or greedy or even just have a mental misstep that puts them and their credentials in jeopardy.  The best defenses against this type of attack are:

1) DO NOT RE-USE PASSWORDS!  Even if you make a few different passwords for your most secure accounts (email, bank, facebook, etc) and then using one trivial password for unimportant sites (gaming, web-comics, this blog, etc), that will be enough.  Password re-use attacks are insanely common because people hate having to remember more than one password. It only takes you entering your password on one sketchy site (or an insecure site being hacked and your password being stolen) for a hacker to use the same email-password combination to get into all of your accounts.

2)  Pay attention to the “http://” vs “https://” when you’re entering in your password, your credit card, your social security number, or any other kind of PII (Personally Identifiable Information).  Figure out how your browser determines if websites are who they say they are and just double check each time you go to enter in your information.  For Google Chrome (the best browser, imho), here’s the guide to the security icons.  Just checking this has saved me a more than a few times from potentially getting my credit card stolen.

3) When you get emails from people you know that sound just a bit off, go ahead and message them in some other form of communication to see if they really sent it or not.  Especially when they’re not totally convincing and they’re just “OMG CLICK THIS <link to some site in another language that the person has never even remotely indicated that they speak or understand>”, that should set off red flags and it never hurts to check.  If it’s a legitimate link, they can let you know and if it’s not, then you’ve just let them know one of their accounts has been compromised or someone is spoofing their identity (pretending to be them)

Now that that’s all done, Congrats!  You made it to the end!

You are now a ctrl-alt-dissent certified security master.  Go forth and try to do your part to contributing to a healthier, smarter, and more secure internet.  Just like getting flu shots, herd immunity is an important concept on the internet and if you practice better cyber security, you get your friends and family to practice better cyber security, and you can make informed decisions during work and leisure activities, you’ll generally have to spend a lot less time mopping up the potentially disastrous results of a cyber attack. Hackers are lazy and they go for the lowest hanging fruit, so having even basic security measures will go a long way to keep you safe online.  

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s