Posts Tagged with cryptography

Hacking the Hackers

Security
Posted on Leave a comment on Hacking the Hackers

Have you ever heard of Hacking Team?  It’s an Italian company specializing in “digital infiltration” products for governments, law enforcement agencies, and large corporations.  Simply put, they sell hacking tools.

You might think, given their business model, that they would monitor their own security religiously.  Last year, however, they were hacked.  Majorly hacked.  “Hundreds of Gb” of their internal files, emails, documents, and source code for their products were released online for all to inspect, as were their unencrypted passwords. [1]By the way, here’s some advice: if you are in security (or anything, really, this isn’t security-specific) you should really make sure your passwords are more secure than … Continue reading  Also released was a list of their customers, which included the governments of the United States, Russia, and Sudan—the last being a country controlled by an oppressive regime that has been embargoed by the E.U. [2]As an Italian company, this means that they were technically violating the embargo.

Last Friday, the person claiming responsibility for the attack, “Phineas Phisher”, came forward with details about how they did it.  It’s worth reading through if you’re interested in security; if you’d like an explanation geared more towards the layperson, Ars Technica has a pretty good write-up/summary of the attack.

I was particularly struck by how they gained access to the network.  According to Phineas,

Hacking Team had very little exposed to the internet. For example, unlike Gamma Group, their customer support site needed a client certificate to connect. What they had was their main website (a Joomla blog in which Joomscan didn’t find anything serious), a mail server, a couple routers, two VPN appliances, and a spam filtering appliance… I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices. A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit…  I did a lot of work and testing before using the exploit against Hacking Team. I wrote a backdoored firmware, and compiled various post-exploitation tools for the embedded device.

Basically, to avoid detection, Phineas discovered a unique vulnerability [3]These unique vulnerabilities are called a “zero-day” in computer security circles, because the hackers find it before the company maintaining the software or device does— so once the … Continue reading in one of their embedded devices (likely one of their routers), figured out how to use it to get into the rest of the network using that vulnerability, and then carried out the attack through that piece of hardware without anybody noticing.  No matter your feelings about the attack, this is an impressive feat.

References

References
1 By the way, here’s some advice: if you are in security (or anything, really, this isn’t security-specific) you should really make sure your passwords are more secure than “P4ssword”, “wolverine”, and “universo”.  Use a passphrase instead.
2 As an Italian company, this means that they were technically violating the embargo.
3 These unique vulnerabilities are called a “zero-day” in computer security circles, because the hackers find it before the company maintaining the software or device does— so once the company finds it, they have zero days to mitigate damage.

What is asymmetric cryptography?

Cryptography, Essays, Interesting Links, Security
Posted on 2 Comments on What is asymmetric cryptography?

Whitfield Diffie and Martin Hellman were jointly awarded the 2015 ACM A.M. Turing Award today.  Their 1976 paper, New Directions in Cryptography, essentially created asymmetric cryptography.  Today, asymmetric cryptography secures our online communications—from PGP-secured texts, emails, and files, to TLS and SSL-secured websites (including this one).  So how does asymmetric cryptography work, and how is the Diffie-Hellman key exchange more secure than older methods of encryption?

Symmetric encryption

Symmetric encryption relies on a key [1]Essentially, a key is a piece of really complicated math. shared between two or more people.  A message is encrypted using this key, and can then be decrypted by the same key held by somebody else.  Think of it like the front door of a house.  Alice has a key to the door, so she can lock and unlock the door.  Bob also has a key, so he can also lock and unlock the door.  In fact, anyone with a copy of that key can both lock and unlock the door whenever they want.  In the case of a message, this means that anyone with the right key can encrypt (lock) the message, or decrypt (unlock) the message.

It’s possible to break symmetric encryption [2]It’s also possible to break asymmetric encryption, or any encryption, though it takes time.  Perhaps one of the most famous examples is from World War II, when the Allies were struggling to crack encrypted Nazi communications.  The encryption was created with a key that changed daily, and through the use of the Enigma machines.   The cryptography was eventually broken, but largely through the skill of the codebreakers, poor operating practice from some of the German operators, and the capture of key tables and hardware by the Allies.

Asymmetric encryption

Asymmetric encryption, in contrast to symmetric encryption, uses a pair of keys to encrypt messages.  One of the two keys is made public to everyone, and one is kept private (the two types of keys were called, cleverly enough, the public key and the private key, respectively).  Messages encrypted with the public key can only be decrypted using the private key [3]Basically, the message is sent through a mathematical formula that only works one way… unless you have the incredibly complicated and unique formula that comprises the private key., which ensures that the contents of the message can’t be read by anyone except the holder of the (hopefully secure) private key.  So if Alice wants to send an encrypted message to Bob, she starts by finding his public key.  She then encrypts her message using that, and sends it to Bob.  When Bob receives it, he uses his private key to decrypt the message.  If he wants to respond, he can encrypt his reply using Alice’s public key, and the cycle continues.  Since the public keys are usually published or exchanged in a way that lets each party be confident that it belongs to whomever they are sending it to, this ensures that the identity of the recipient can be verified.  Alice knows that only Bob can unlock her message, and Bob knows that only Alice can unlock his.

This is commonly used on websites that are secured by SSL/TLS (including this one).  Pretty much every major website is secured via SSL, and browsers will display a green padlock in the address bar of secured sites.  This serves two purposes; it will prove that the website belongs to whomever it purports to belong to, and it encrypts traffic between your computer and the website so that it can’t be read by attackers, your ISP, or others who may have a vested interest in what you do.
This works in exactly the same way that the messages between Alice and Bob did.  When you visit a website secured with SSL, your browser and the server exchange public keys.  The server encrypts traffic to you using your public key, which your browser decrypts.  And your browser encrypts traffic to the server using the server’s public key, which the server decrypts.  Anyone trying to listen in on the conversation your browser and the server are having will hear nothing but random gibberish.  There’s one additional thing that your browser does to ensure that it’s not talking to a fake server that’s pretending to be the real website: it takes the public key presented by the server, and it compares it to a repository of public keys.  If it matches, it’s the real server.  If it doesn’t, it could be an imposter– and somebody could be listening in.

So the next time you’re wandering around the web, take a minute to appreciate that little green padlock in the corner of your screen, and think about the incredibly complicated math that underpins security on the internet.  It works invisibly to keep your communications safe, secure, and most importantly—private.

I’m not a cryptographer or a security specialist, just somebody who enjoys reading and learning about security.  If you think I left out something important, please send me an email so I can fix it.

References

References
1 Essentially, a key is a piece of really complicated math.
2 It’s also possible to break asymmetric encryption, or any encryption
3 Basically, the message is sent through a mathematical formula that only works one way… unless you have the incredibly complicated and unique formula that comprises the private key.