Just sent out issue 2 of the Neurovagrant Newsletter, containing this and more.
Last week security researcher Chris Vickery uncovered a massively insecure database belonging to the Hello Kitty line of products – which include a number of online components. Vickery found that the details of some 3.3 million accounts could be accessed including real name, gender, country of origin, password and birthday. Even more troubling is the fact that most of these accounts likely belong to children – and coming so quickly in the wake of the VTech toymaker hack in which four million parent accounts and six million child profiles were compromised, it should cause each parent about to buy an internet-connected toy some pause.
Vickery wasn’t done there. That week he “was on a rampage, reporting data breaches for companies and services like MacKeeper, security vendor for Macs (13 million accounts); OkHello, video chat app (2.6 million accounts); Slingo, online gaming site (2.5 million accounts); iFit, fitness app (576,000 accounts); Vixlet, social network (377,000 accounts); California Virtual Academies, online school network (74,000 accounts); and Hzone, dating app for HIV patients (5,027 accounts).”
On Thursday Juniper Networks announced that its Virtual Private Network operating system ScreenOS had been compromised for at least the last four years. Juniper is a giant in the VPN business, which allow you to do things like access work networks from outside the office or protect your internet traffic from those seeking to intercept it. It appears two separate backdoors were installed into ScreenOS including one that utilized a cryptographic algorithm known to have been weakened at the direction of the National Security Agency – dual_ec_drbg. Attackers took advantage of engineered weaknesses to intercept the traffic of Juniper clients. To what extent is not yet known, but again: the backdoor had been present for the past four years.
Enter most of the 2016 presidential candidates. The entirety of the GOP candidates appear to be “against encryption” – a laughably simple argument considering encryption powers just about every bit of commerce and civic life we’re involved in. Encryption safeguards your card information when you purchase something on the internet but also when you use a card in-store; the point-of-sale machine connects to a payment processor, and when the encryption and/or segmentation there fails we see retail store POS breaches like Target or the processor-side TJX/Heartland breach. A strong economy relies on strong encryption. So does a strong healthcare system – healthcare breaches constitute the lion’s share of breaches in the past several years. Strong government itself relies on strong encryption. The OPM hackof this year shows us that. Not only did attackers gain an incredible data trove on law enforcement, intelligence and military members but having extended access to the database raises the specter of information being added, allowing deep infiltration of important institutions.
The encryption debate – often termed The Crypto Wars by those involved – popped up repeatedly since we became an information-heavy society. The latest round of Crypto Wars all but ended earlier this year in a resounding defeat for those seeking weaker encryption thanks to a strong, universal agreement among security experts that installing system backdoors cannot be done without weakening the system to other attackers. We cannot produce a golden key that only allows authorized access. Backdoors are by definition security vulnerabilities. Encryption in the sense we talk about it whether we’re talking about credit card payment systems or messaging apps is a form of mathematics. When we talk about algorithms we’re not talking about some kind of arcane code but rather mathematical formulas. A formula is a relationship. The right relationships between variables can do things like create nearly-unguessable random number sequences. Tweak that relationship even a little bit – as was done with dual_ec_drbg mentioned above – and you instantly change the formula in huge ways, sometimes drastically reducing the amount of computer power/time needed to work out what numbers the formula is going to produce.
This is a vast simplification of the math involved – but it is math. No amount of magical thinking or politicking will change the fact that encryption is, at is core, a mathematical problem. And unlike statistics shenanigans politicians are used to playing when it comes to polling these numbers don’t bend.
The Crypto-Wars reignited after the Paris attacks. Oddly so, since there’s not one iota of evidence that attackers used encryption. FBI Director Comey continues to make statements in his interest about terrorists using encryption and those statements continue to be disproven as investigations move forward and we learn more details. Statements like “their phones included encryption” are disingenuous at best – all modern cellphones include encryption of various sorts. The authorities depend on vague and unprovable statements and emotion to sway public opinion while information security experts have issued a resounding opinion: you cannot build a backdoor that no one else can exploit.
Hillary Clinton has called for a “Manhattan Project” in order to help law enforcement break into encrypted communications while leaving them secure and this is as doomed a project as that of any Republican. The comparison to the original Manhattan Project is an immediate failure: they were working with the physics, Hillary wants experts to work against the math. Mathematics is not an issue you can legislate or threaten your way out of, something the Catholic Church learned the hard way ages ago. Tweak the smallest parameter in an algorithmic relationship and you put at risk anything in that system – financial access, health data, intelligence agent backgrounds and their biometrics.
In crypto even more than in politics, we ignore the numbers at our peril.