GRyan Masters Blog

Cybersecurity and Encryption

5. More Companies Encrypt Data — April 17, 2016

5. More Companies Encrypt Data

In a recent article WhatsApp, owned by Facebook, is now using encryption that is said to be stronger than Apples’. By Apples’ I mean Apple Inc. not the bright red fruit. I mention Apples’ encryption because of the on going debate with the FBI. WhatsApp has increased in encryption to all transmission and not just messages i.e. photos, videos, messages, etc… It has already been warned that violent extremists and criminals can use WhatsApp to hide their tracks (BR, Bailey, & Writer, 2016).

Also in Brazil WhatsApp was the cause for a Facebook Inc. executive to be arrested (he has been released). Apple and WhatsApp are not the only companies that use encryption to protect the transmission of data. Other less popular services use encryption also. Signal, Wickr and Telegram use end-to-end encryption also (BR, Bailey, & Writer, 2016).

The outcomes of the debate between Apple and the FBI will be an interesting turning point for these types of services, and the history of encryption. Many things could come from the debate. What will happen next? Will the government take encryption for itself and require that all encryption methods contain a backdoor for government to access? Will encryption be added to the list of things that are illegal? Would everyone using encryption be considered a criminal or terrorist because they are hiding something? I do not know where the history of encryption will go, but it will definitely be interesting.

Grant Ryan

BR, Bailey, O., & Writer, A. T. (2016, April 16). WhatsApp extends encryption to photos, video, other messages. Retrieved from http://ksnt.com/2016/04/16/whatsapp-extends-encryption-to-photos-video-other-messages/
4. Compliance with Court Orders Act of 2016 — April 10, 2016

4. Compliance with Court Orders Act of 2016

This new bill called the “Compliance with Court Orders Act of 2016” (“Burr Encryption Bill – Discussion Draft,” n.d.) is going to destroy the foundation of encryption. Encryption was created to protect data and was not intended to have backdoors built into their designs. As mentioned by “Keys Under Doormats” (Adelson et al., 2015), any backdoor created for law enforcement also creates a potential risk for hackers and cyberspies (Greenberg, 2016). The title “Keys Under Doormats” is appropriately named because how secure is your house if the key is under the doormat. If encryption is designed with a backdoor in mind, then why even build it. Creating a master key that would decrypt any other key would also prove pointless.

The Senate and House must seek the appropriate technical assistance before attempting to write this type of garbage up as a law. Does Congress realize what they are demanding in the full scope or are they just creating a bill that is a fix for only a few issues that are currently preventing further investigation from the U.S Government? If this is voted into law every American should just use an FTP to store all there information, change all current passwords to “password” or “1234”, where t-shirts custom made to display your credit card information, and do not lock your cars. Why should American’s do these things? Without encryption these things will not matter anyway. So much of out lives depends on encryption and the government is trying to build up its’ wall while they tear down ours. Any files that may be stored in the cloud are protected by encryption, or authentication. Passwords are transmitted using encryption so that a spying eye cannot capture them. Credit card information is secured through encrypted transactions, secure tunnels, or digital certificates.

Cars? Why mention not locking your vehicle? It’s not protected by an encrypted key, a physical key must be used to unlock and start my car. The Swiss Federal Institute of Technologies test 8 cars that used key less fobs for unlocking and starting a vehicle, and they successfully started all 8 vehicles (Hyde, 2011). What does this have to do with encryption? If encryption is required to have a way for court ordered law enforcement to gain access to it, then the encryption is flawed from the start. It takes one person to find the key and all devices from that manufacturer are now unsecured. American is becoming the land of free information, and the home of the weak security.

By: Grant Ryan

Adelson, H., Anderson, R., Bellovin, S., Benaloh, J., Blaze, M., Diffie, W., … Weitzner, D. (2015, July 7). paper-keys-under-doormats-CSAIL.pdf. Retrieved from https://www.schneier.com/cryptography/paperfiles/paper-keys-under-doormats-CSAIL.pdf
Burr Encryption Bill – Discussion Draft. (n.d.). Retrieved April 9, 2016, from https://www.scribd.com/doc/307378123/Burr-Encryption-Bill-Discussion-Draft
Greenberg, A. (2016, April 8). The Senate’s Draft Encryption Bill Is “Ludicrous, Dangerous, Technically Illiterate.” Retrieved April 9, 2016, from http://www.wired.com/2016/04/senates-draft-encryption-bill-privacy-nightmare/
Guido, D. (2016, February 17). Apple can comply with the FBI court order. Retrieved from http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order/
Hyde, J. (2011, January 18). How Hackers Can Use Smart Keys To Steal Cars. Retrieved April 10, 2016, from http://jalopnik.com/5736774/how-hackers-can-use-smart-keys-to-steal-cars
3. VNC Security Breech — April 1, 2016

3. VNC Security Breech

What is worst than not changing the default password to a device or program? Not setting a password at all. Recently a hacker that goes by “Revolver” has recovered data from unsecured computers. Revolver wanted to see how many computers were insecure so he created a script that cycled through IP addresses and select ports on his own computer, which tries to connect to unsecured servers through a web-based VNC viewer (Whittaker, 2016). The script would only capture a screenshot if there was a connection, if there was not a connect the script would goto the next IP address.

I reviewed this site when the article was fist posted and many of the images were pretty disturbing. Not disturbing in the sense of gore, but in the sense that some of the information contained was damaging. One of the screenshots was of a pediatrics office and patient records where displayed when the screenshot was captured. Another screenshot was the system control panel for a German hydropower plant. Some of the other captures when not of much importance.

Now the site that the photos were posted to has been taken down (VNC Roulette) Since the site was taken down I accessed the cached site from Google.com just to see if the photos were cached and the site that Revolver setup for the VNC Roulette was hacked by another hacker calling himself “FatalSec”. This is a way for hackers to get their name out there as a better hacker than the last hacker. Here is the cached link to the hacked VNCRoulette website (I’m not responsible if anything happens to you computer by clicking the link. Click the link at your own risk): http://webcache.googleusercontent.com/search?q=cache:PFK3vnAnCOgJ:vncroulette.com/+&cd=1&hl=en&ct=clnk&gl=us.

{Update}

I have located the website with the photos of the screenshots. I am not posting this for the purpose of capturing the data, just as a visual tool to see the amount of data that is open to the public VNCRoulette working link

VNC Roulette. (n.d.). Retrieved April 1, 2016, from http://5.230.225.107/index.php?picture=0
Whittaker, Z. (2016, March 29). How one hacker exposed thousands of insecure desktops that anyone can remotely view | ZDNet. Retrieved March 29, 2016, from http://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/
2. FBI Vs. Encryption — March 27, 2016

2. FBI Vs. Encryption

The FBI continues to target Apple and the security of their devices. FBI Director, James Comey, is trying to get legislation passed that will restrict technology companies from having encryption that prevents the government from accessing the data stored on devices (Lord, 2014). As mentioned in my previous post, allowing any kind of backdoor into a system cripples the security of the device. It is obvious that anything that is encrypted can be decrypted, but adding a cellar door to your basement is just an invitation for anyone that wants what you have.

I am in total disagreement with the request of the FBI. Right now it is Apple that is being ordered to comply, but in the future it may be all other companies that sell products in the USA. If these types of laws are allowed to exist then the competitive advantage for the U.S technology companies has just been crippled by its’ own government (Lord, 2014).

Amendment IV

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized (“Bill of Rights Transcript Text,” n.d.).

Over 220 years ago the government tried to protect use against ourselves and now we see things of this nature in the news so often. We are a free nation, but are we really. We can’t even protect our own data without someone else wanting access to it. Without encryption we would not be the nation that we are, or have the technologies and pleasures that we do have. What secrets would the government have without being able to protect the data that they have? To ask the people to give up a means to secure their persons, or effects is unconstitutional at worst, and just poor programs, politics, and leaders at best.

Grant Ryan

 

Bill of Rights Transcript Text. (n.d.). Retrieved March 27, 2016, from http://www.archives.gov/exhibits/charters/bill_of_rights_transcript.html
Lord, N. (2014, October 20). The Security Hot Seat: Personal Device Encyption. Retrieved March 27, 2016, from https://digitalguardian.com/blog/security-hot-seat-personal-device-encyption
1. Encrypted — March 15, 2016

1. Encrypted

With the steady increase of cyber crimes, encryption should be a top priority for everyone. Whether you are a basic computer user to a company that deploys multiple server across multiple locations, encryption should be considered. Using encryption to protect your data can be as simple as securing a single file, to a folder that you store important information in, or it could be used to protect entire systems/servers.

Encryption used to Protect

A big controversy right now is the Apple vs. FBI. The incident that start this battle over encryption was the attack on the Inland Regional Center in San Bernardino, California by Syed Rizwan Farook and Tashfeen Malik (NPR Report). After the attack the two men committed suicide and there was an iPhone 5c recovered at the crime scene. The FBI confiscated the phone and was not able to access the data stored on the device. Since the FBI cannot access the data many questions could not be answered.

The FBI filed suit against Apple requesting them to supply a way to get into the device and Apple denied the request. Tim Cook, CEO of Apple, said

“In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession. …

“The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable (NPR Report).”

This is a major issue in encryption. By creating a backdoor to encryption methods you are opening the encryption and reducing the security of the algorithms. Someone will eventually crack it and now the encryption is worthless.

Encryption used to Restrict

Another way that encryption can be used is to restrict access. Yes, I know, encryption is supposed to be used to restrict access, but not the way that unethical hackers are using it.

There are many reports that have been linked to hackers gaining access to systems and then encrypting them so the users and administrators of the system is unable to access it. This is being called Ransomware, or Remote Access Hacking.

These hackers are gaining access to different systems and then encrypting the data on these systems. Then the hackers are demanding a ransom in order to decrypt the systems. In 2012, there was an attack on an Australian business, and the hackers asked for $3000 in ransom for the password to the encryption. The company paid the ransom and the hackers claimed that child pornography was detected on their computers (Ransom Attack).

20120924013801_unlock

Many more attacks of this type can be found online.

No matter what type of computer, smart phone, server, or any other type of electronic device that connects to the internet you should research ways to encrypt your personal data. There are many different types of encryption methods available. We all should use some type of encryption to protect our personal effects.

Grant Ryan

Apple, The FBI And iPhone Encryption: A Look At What’s At Stake. (n.d.). Retrieved March 15, 2016, from http://www.npr.org/sections/thetwo-way/2016/02/17/467096705/apple-the-fbi-and-iphone-encryption-a-look-at-whats-at-stake
Dealing with ransomware and remote access hacking | NetSafe Security Central. (n.d.). Retrieved from http://www.securitycentral.org.nz/cybersecurity-for-small-businesses/dealing-with-ransomware-and-remote-access-hacking/