Technology keeps moving forwards, faster than a speeding-freight-bullet-train-gun — even faster than the speed of light. Okay, perhaps not that fast, but we’ve all had that feeling of missing a watershed moment in technology, or at the very least a new product with a dazzling new specification, and you’ve no idea what anyone at the regional tiddlywinks social is talking about.
Relax. It happens. So let’s brush up on some of the most commonly used security terms and exactly what they mean.
Let’s start with a big one, and one you’ve likely encountered. Just because you’ve encountered it, doesn’t mean you understand the incredible importance of encryption.
In a nutshell, encryption is the transformation of data to hide its information content. Be that sending a message over WhatsApp, Microsoft requesting encrypted telemetry information from Windows 10 systems, or accessing your online banking portal, you’re sending and receiving encrypted information whether you know it or not.
And rightly so. You don’t want Alan using a man-in-the-middle attack in the local pub to steal your account credentials. Equally, you don’t want just anyone to be able to read your email, your secure messaging, and any of the myriad services secured with encryption.
All Up in the News
One of the biggest encryption stories of the year has just been given a swift jolt back into life. I’ll give you a quick precis: in December 2015, 14 people were murdered in an act of domestic terrorism at the Inland Regional Centre, San Bernadino, California.
The terrorists were killed some hours later in a shootout, and the FBI went on to search their local residence. They recovered a number of items, including one of the deceased’s encrypted iPhone. This presented a problem to the FBI: they couldn’t brute force (an exhaustive attack designed to guess all possible password permutations) the phone’s protection, as that could’ve wiped the data.
Apple, quite rightly, refused to create a golden backdoor for the FBI to use, reasoning that once it was created it would be used repeatedly. Furthermore, they again correctly stated their belief that such a backdoor would inevitably fall into the wrong hands, and be used to directly and negatively affect other citizens.
Roll forward a few months. The FBI and Apple had been back and forth in court, when suddenly the FBI announced that, with the help of an unknown third party (reportedly an Israeli security research firm), they’d successfully cracked and accessed the data on the iPhone — which in turn, amounted to basically nothing.
Still with me? Roll on a few more months, to August 2016, and hackers announced the “liberation” of highly sensitive data from an NSA auxiliary server, speculated to have been used by one of the government agencies’ elite internal hacking groups. The data apparently contained code detailing backdoor attacks on a number of important, globally-used firewalls, with the data being put up for sale (with an outrageous ~$500 million asking price).
TL;DR: Backdoors work until everyone knows about them. Then everyone is screwed.
It’s All About the Keys
Secure encryption remains so by signing digital keys, exchanged securely between two parties. Public-key cryptography (AKA asymmetric cryptography) uses a pair of keys to encrypt and decrypt data.
The public key can be shared with anyone. The private key is kept private. Either key can be used to encrypt a message, but you need the opposing key to decrypt at the other end.
The key is essentially a long string of numbers that has been paired with another long string of numbers, but are not identical (making them asymmetric). When public-key cryptography was proposed by Diffie and Hellman back in 1977, their work was considered groundbreaking and laid the foundations for the many secure digital services we take advantage of today.
For instance, if you’ve ever used a digital signature, you’ve used a technology based on asymmetric cryptology:
To create a digital signature, signing software (such as an email program) creates a one-way hash of the electronic data to be signed. The user’s private key is then used to encrypt the hash, returning a value that is unique to the hashed data. The encrypted hash, along with other information such as the hashing algorithm, forms the digital signature.
Any change in the data, even to a single bit, results in a different hash value. This attribute enables others to validate the integrity of the data by using the signer’s public key to decrypt the hash. If the decrypted hash matches a second computed hash of the same data, it proves that the data hasn’t changed since it was signed.
If the two hashes don’t match, the data has either been tampered with in some way (indicating a failure of integrity) or the signature was created with a private key that doesn’t correspond to the public key presented by the signer (indicating a failure of authentication).
2. OAuth and OAuth2
OAuth is essentially an authorization framework. It allows two parties to communicate securely, without the necessity of providing a password each and every time. I’ll explain how this works using a quick example:
- Bill is a user. He wants a third-party to securely access his Twitter stream (a secure resource, using a password).
- Bill asks the third party to securely access his Twitter stream. The third-party app says, “Sure thing, I’ll just ask for permission.”
- The third-party makes the request. The secure service — in this case, Twitter — responds by saying, “Sure thing, here is a token and a secret.”
- The third-party now sends Bill back to Twitter to approve the changes and to give him the token to show his involvement in the process.
- Bill asks Twitter to authorize the request token, and Twitter make a last double-check. Once Bill says OK, Twitter sends Bill back on his way to the third party with a “good-to-go” request token.
- Finally, the third-party receives an access token and can happily post to Bill’s Twitter stream. Lolcats for everyone!
Throughout the process, Bill never had to provide his account credentials to the third party. Instead, they were verified through the OAuth token system. Bill still retains control over this system and can at any time revoke the token.
OAuth can provide further in-depth permissions too. Instead of allowing everything the same access to your credentials, we can assign granular level permissions, such as giving one third-party service read-only access but another the right to act and as post as you.
Really? A “Secret”?
I know, right?! Who knew security terminology could be so kawaii! In all seriousness, I’ll explain that term a little more. It comes down to the Client ID and Client Secret. For OAuth to work, the application must be registered with the OAuth service. The application developer has to provide the following information:
- Application Name
- Application Website
- Redirect URI or Callback URL
Once registered, the application will receive a Client ID. The Client ID is then used by a service to identify an application. The Client Secret is used to authenticate the identity of the application to the service when the application requests access to a user’s account. It must remain private between the application and the service.
There is a pretty high chance you’ve used OAuth without ever realizing it. Have you logged into a third-party website using your Facebook, Google, or Microsoft account? Then you’ve made a secure connection using OAuth.
This malware variant is fast becoming the scourge of the internet.
Just as traditional malware infects your system, ransomware does the same. But instead of merely stealing your data and turning your system into a botnet node, ransomware actively encrypts your data and then asks for a payment to secure its release. We looked at public-key encryption earlier in this article — and the vast majority of ransomware uses publicly available encryption technology.
Here’s how the Center for Internet Security defines it:
Cryptography is a method used to encrypt, or scramble, the contents of a file in such a way that only those with the knowledge of how to decrypt, or unscramble, the contents can read them. Ransomware, a type of malware that holds a computer or files for ransom, continues to highlight the malicious use of cryptography.
For instance, one of the earliest forms of ransomware to gain global notoriety was CryptoLocker. Typically propogated as a malicious email attachment, once installed the ransomware would dial home to a command-and-control server to generate a 2048-bit RSA key pair, sending one back to the infected computer. It would then steadily encrypt numerous important files using a preordained list of extensions, announcing its completion with a ransom message and demanding a payment in Bitcoin for the safe release of the private key (which would allow the files to be decrypted).
If a user had not backed up their files, they would be forced to pay the ransom or face permanent deletion. The encryption keys generated by the CryptoLocker ransomware were commonly 2048-bit RSA, meaning that with current technology, breaking the keys is essentially impossible (the sheer computing power required to break the encryption is currently unfeasible).
Many Other Variants
The CryptoLocker ransomware private key database was retrieved when the Gameover Zeus botnet was taken down in 2014. It allowed security researchers a chance to create a free decryption tool to disseminate to those affected users, though it was estimated the ransomware developers appeared to have coerced around $3 million through infected users:
In 2012, Symantec, using data from a command-and-control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.
This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced, including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives. These variants are considered destructive because they encrypt users’ and organizations’ files, and render them useless until criminals receive a ransom.
The tide hasn’t turned. While we understand more about ransomware than ever before, ransomware developers are consistently updating and tweaking their products to ensure maximum obfuscation and maximum profitability.
June 2016 saw the reintroduction of an “older” form of ransomware. Locky had previously gone “offline” with new infections greatly reduced in favor of another ransomware variant, Dridex. However, when Locky returned, it had been given an extra-dragon-punch-deathblow mode of attack. Previously, the ransomware had to dial home to a command-and-control server to generate and share the asymmetric keys we previously discussed:
Last week from Wednesday to Friday we observed a notable increase in amount of spam distributing Locky. At most we saw 30,000 hits per hour, increasing the daily total to 120,000 hits.
Yesterday, Tuesday, we saw two new campaigns with a totally different magnitude: more than 120,000 spam hits per hour. In other words, over 200 times more than on normal days, and 4 times more than on last week’s campaigns.
If the ransomware couldn’t dial home, it would lay impotent. Those users who realized they’d been infected extremely early on could potentially fight the infection without having their entire system encrypted. The updated Locky doesn’t need to dial home, instead issuing a single public-key to each system it infects.
Have you caught why this might not be quite as bad as it seems?
In theory, using a single public-key means a single private-key could unlock each system encrypted by the Locky ransomware — but I still wouldn’t bank my system files on finding out!
ISO Standardized Glossary
We’ve looked at three different terminologies you might encounter in your daily life. These are universal terms that carry the same meaning throughout the security and information management world. In fact, as these systems are so vast, so unequivocally important, touching all corners of the globe, robust terminology frameworks exist to facilitate open and uniform communications between different partners.
The terminologies are provided by the ISO/IEC 27000:2016, which gives a comprehensive view of information security management systems covered by the ISMS family of standards and defines related terms and definitions.
The standard is important as it lays the foundation for mission critical communications between any interested parties.
Knowledge Is Power
We encounter misinformation everywhere we go. Why does it happen? Unfortunately, the people with enough power to make decisions that could positively affect our security rarely understand enough to make an informed, progressive policy to maintain privacy and security. Their decisions must be metered against the safety of the masses, and it usually leads to a decrease in privacy. But for what gain?
Take the time to learn, and to understand contemporary security terminology. It’ll make you feel more secure!
Would you like us to cover more security terminology? What do you think needs explaining further? Let us know your thoughts below!
Image Credit: Locky Linegraph via F-Secure