Editorial blog entries from our CTO

Marriott hack was by Chinese state-sponsored hackers

As we’ve said repeatedly said as loudly as we can for more than ten years, any of the flimsy protections from Container-Related Asset Protection (CRAP) vendors you think you are getting disappear like cotton candy in the hands of a five-year-old the minute a state-sponsored hacker with infinite resources takes interest in your data:

https://www.cnn.com/2018/12/12/tech/chinese-marriott-hack/index.html

2019-03-08T22:25:27+00:00December 12th, 2018|

New chip targeting IoT security…

While the article (referenced below) is an interesting read, it is another extension of the traditional Container-Related Asset Protection (CRAP) security approach, but targeted to protect IoT.  This is not necessarily a bad thing, in that at least IoT will have something, whereas today that sector has nothing.

Project Sopris chip designed to protect IoT devices

This still will not provide protection for digital assets that may interact with, or be used by, the IoT device(s).  Consider this example: you have images on a USB drive or personal website you want to play on a smart TV in your hotel room. You have no idea to what systems that TV is connected. From the perspective of the TV owner, the device may well be secure, but from the content of the I/P represented by your photos (which is what REALLY matters), no way in hell. Was the nighttime security guard legitimately given access rights by the hotel to make sure no one was playing any content (that the hotel isn’t profiting from) on that TV, and is now capturing your personal photos for whatever reason?

Or, you download your cycle data from your smart thermostat to compare it with your electricity bill and have it e-mailed to you by the thermostat. How does that data (showing the precise times you spend away from your home) get protected all the way through the world outside the thermostat and ensure that no one but you can read intercepted copies of that data (perhaps after you’ve read it and archived it to your e-mail server)?

So, while this may provide more targeted protection for devices in the IoT world, it will likely provide another attack surface, and once hackers find their weakness and learn to hack something that is in 50 million devices The Exact Same Way.

Remember “security” these days is being defined in the eye of the beholder, not in the generally accepted sense. “All that matters is, are my interests being protected? Forget everyone else, in fact, rob from what protects them to protect myself if I can get away with it.”

Thanks,

F. Scott Deaver

2017-12-07T17:42:35+00:00December 7th, 2017|

Encryption is NOT the panacea IBM is telling you it is

You may recall that I have said many times that encryption is pointless because the protected asset eventually has to be decrypted somewhere and the hacker can simply get the asset from the decrypted location?  Below is an article I wrote based on my previous discussions on this subject…

The first group of “cybersecurity experts”

There are two kinds of “cybersecurity” experts. One kind, as represented by IBM, CA, Symantec, Intel/McAfee, and FireEye, knows very little about the actual cybersecurity problem domain but a whole lot about extorting money from captive customers and the ignorant public in the name of “cybersecurity” without ever solving it (because solving the true underlying cybersecurity problem would make their lucrative business model also go away). Their cybersecurity failures are splashed all over the headlines these days, but they’ve managed to keep their names and associations with the crimes out of the press and off the websites though onerous contract stipulations with their customers forbidding their customers/victims from revealing the vendors’ identities and involvement in breaches.

The process this first group of guys engage in is known to industry professionals as “churning”, and relies primarily on ancient Container-Related Asset Protection (AKA, “CRAP”) technologies Band-Aided over with, or sometimes bundled with, pop-culture-inspired fads as apps. These technologies tend to aggregate ever-larger groups of otherwise-unprotected digital assets (files) into silos or containers (you would recognize these silos and containers as browsers, operating systems, file systems, servers, server farms, or the cloud) and protect them while stationary and in those silos/containers (as though that means anything in an increasingly-mobile world). In so doing, they make the rewards to hackers for breaching those silos/containers ever more profitable, worthwhile, and attractive, to the extent that now state actors (Russia, China, the Ukraine and other Baltic states, North Korea, India, Iran, Israel, the U.S, Europe, and various third-world dictatorships, among many others) with virtually unlimited resources (especially in comparison to the average business or intellectual property owner) are actively and aggressively involved in hacking. The more rewards (digital assets) there are for breaching a container or silo, the more motivation there is to hack the container in the first place. And oddly enough, the more resources you devote to “protecting” a container or silo, the more you advertise not only where the important things are stored (these CRAP technologies all have signatures and attack surfaces known to hackers), but how valuable you consider the digital assets stored there to be (like placing a sign over your wall safe that says “all the cash is stored here”).

A classic and unwinnable Chinese finger puzzle if there ever was one – for more information on CRAP technologies and industry churning, see our companion articles entitled “David Versus the Greediest Goliath“, “IBM, CA, Symantec, McAfee: The Car-Jackers of Cybersecurity“, and “AMULET™ intellectual property protection versus Container-Related Asset Protection (CRAP)“.

The second group knows the actual problem domain

The second group of cybersecurity experts knows the cybersecurity problem domain well from the standpoint of solving for it (as opposed to merely profiting from it) – those are the people who may have been at one time hackers themselves, or who are intimately familiar with the failings of CRAP technologies, or who have for decades seen the flaws in how CRAP technology defects are amplified by their implementations in actual installations in many dozens of industries across the country (Certitude Digital staff represent all of those people well). Certitude Digital and its principals are proudly founding and sustaining members of that second group.

Where the video comes in

You will note, if you’ve read some of our materials or are familiar with our patents and technologies, that we have said many times that encryption is pointless in and of itself in direct application to cybersecurity because the protected asset eventually has to be decrypted somewhere – and the hacker can simply get the asset from the decrypted location (locations which, in technologies that aren’t Certitude Digital’s, are well known to hackers). Some people won’t read the book and have to wait for the movie to come out, so here it is in a form everyone should be able to comprehend (smile):

[first video link]

[second video link]

Car thieves have figured out that encryption is its own worst enemy (it forces decryption to a known, specific location), and have implemented the same workaround as desktop computer hackers to solve encrypted car key fobs. In the case of car key fobs, all of the work is done in the same computer (the one on the vehicle), and the digital assets are already there, also on the vehicle (as pathways to door looks and the ignition keys). That is, the “known location” of the decrypted result happens to be the vehicle itself – how convenient!

What’s going on in both videos is this (same technique, two different makes of cars, simplified for a non-technical audience): Most car key fobs work on the basis that the car computer and the key fob each have a separate understanding as to how to calculate the same encryption key from a combination of the unique identifier of the key fob and the time-stamp taken at the moment a key fob signal is sent from/delivered to the car’s computer. When a key fob button is pressed, say “Open door” (which is what the thieves are doing the first time one waves the relay box in front of the garage door), the key fob makes a connection with the car computer, and the two components agree what time it is at that instant. Then, based on that time, they each independently calculate what the encryption key should be from the unique key fob (already known to the key fob, and which key fob is assigned to the vehicle is set in the vehicle computer by the manufacturer) and the time-stamp (looked up in a table of “rolling codes” stored in each device based on the time in milliseconds). The “Open door” command is encrypted using the calculated encryption key, and sent to the car’s computer. The vehicle’s computer then, using its time-stamp of the original key fob connection time and its own rolling codes table, reverses the process (determines a key from the assigned key fob ID and connection time-stamp, and decrypts the message to get the command code).

The most interesting thing to note here is that the conversations between key fob and car computer work in both directions – the key fob can initiate the conversation, or the car computer can initiate the conversation (when you walk up to a car with the key fob in your pocket and pull on a door handle, the car computer initiates the “Open door” command, in effect asking the key fob to send it that “Open door” command, which it will do if within range of the vehicle).

Despite what the CRAP purveyors are telling you about how their “protection” comes from the difficulty of cracking encryption, the opposite is actually true. What the thieves above are doing is merely making it possible for that communication to happen, rather than interfering with it or trying to decode it (just as hackers do on a desktop computer – let the process play out, then simply take the results). In other words, the method and sophistication of whatever encryption is used has become irrelevant. The relay box held by the first thief in front of the car door handle merely captures and amplifies the request from the door handle (via the car’s computer) back to the set of keys the thieves know are sitting somewhere in the owner’s home, and the relay box waved in front of the garage door by the second thief captures and amplifies the response from the owner’s keys and forwards it to the car’s computer.

That opens the right rear door of the vehicle. The thieves use exactly the same process (initiated by the vehicle’s starter button) to start the car (which is why you see the second thief waving his relay box in front of the garage door a second time, and then run back to his own vehicle once the stolen vehicle has started).

As you can see, the workaround to any type of encryption is actually to make it possible to complete its work (in this case, actually enhance it), rather than try to oppose it or modify the encryption/decryption in any way. Then simply take the results after decryption and go your merry way (in the case of the video, literally).

Now perhaps you are starting to understand what it is we have been trying to tell the world about the senselessness of relying on encryption? Duh, even car thieves are smart enough to work around it. It’s exactly like the scimitar-wielding Arab who religiously polishes his swords and mounts an intimidating display of shock and awe in the bazaar in the Indiana Jones movie, merely to get his silly @ss shot dead.

Yes, encryption has its place in cybersecurity, but not in the way used by traditional cybersecurity tools. They are using it backwards (see our explanation of fail safety at our Certitude Digital website).

But for the record, we are in the cybersecurity business, not the “I told you so” business (although the “I told you so” business is much easier and more fun, grin). We provide solutions to society’s problems. To that end, like Certitude Digital AMULET™s themselves, the solution to the car thief problem shown above is very simple and effective – whenever you are away from your vehicle for any reason, make sure the key fob is encased in an all-metal container from which signals cannot escape (I am thinking that Certitude Digital needs to offer these little containers, emblazoned with the AMULET™ shield, as give-away SWAG).

Which will, of course, be unnecessary once inexpensive, efficient, and effective Certitude Digital technology is embedded into future automobile firmware and software, and eventually into every other intelligent device on planet Earth.

Thanks,

F. Scott Deaver

 

 

2017-11-28T21:54:28+00:00November 28th, 2017|

Virtually all Wi-Fi connections can be hacked

I am not sure why this is suddenly news now (WPA2 key reinstallation attacks have been known to the hacker community for years), but if you didn’t already know, nothing “encrypted” in a Wi-Fi connection is secure.  The only encryption that works has to be unique to each individual digital asset!

https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warns?utm_source=esp&utm_medium=Email&utm_campaign=GU+Today+USA+-+Collections+2017&utm_term=248212&subid=21195341&CMP=GT_US_collection

Thanks,

F. Scott Deaver

2017-10-16T14:59:56+00:00October 16th, 2017|

IBM Watson reality

I keep hearing people claim they are waiting on AI to solve the cybersecurity problem for them… All I can say is “good luck with that!”:

http://www.rogerschank.com/fraudulent-claims-made-by-IBM-about-Watson-and-AI

http://www.techrepublic.com/article/beware-ais-magical-promises-as-seen-in-ibm-watsons-underwhelming-cancer-play/

https://gizmodo.com/why-everyone-is-hating-on-watson-including-the-people-w-1797510888

Thanks,

F. Scott Deaver

2017-10-04T12:36:48+00:00October 4th, 2017|

Of Afghan poppies and high-heeled shoes

The Afghanistan poppy problem is perhaps more analogous to cybersecurity. If you are not familiar with the issue, here’s a short course from a reliable source: http://www.pbs.org/wgbh/frontline/article/why-eradication-wont-solve-afghanistans-poppy-problem/.

How do either of these analogies relate to cybersecurity? Because they demonstrate you cannot apply post facto regulation to a human enterprise that has existed for decades (or centuries) in which powerful, well-entrenched interests have established an absolute dependency upon things remaining as they are, and upon which even the rank-and-file players within the industry are dependent. The cybersecurity industry we know today is controlled by players who have controlled it for decades, and this year alone are expected to profit from it into the hundreds of billions of dollars (in the aggregate). The problem domain itself (losses from cybertheft) is expected to reach two trillion dollars this years, and six trillion dollars by 2021 (per Gartner and others). This means all of these companies taking billions in profits annually from consumers have been doing so without solving the problem one whit, and that continued growth of their markets (and stock prices) with very little invested in effective technology  is completely dependent upon at least the perceived threat vector growing to the expected $6 trillion dollar uninhibited (by us).

If our technology solves, as expected, the bulk of the cybersecurity problem, the threat vector virtually disappears, and along with it all those billions of dollars in profits being made today as we speak by not solving the problem, and being made by powerful corporations with huge political foot prints. That’s not to mention the power and wealth of the state actors increasingly invested on the other side of the coin, who would like things to remain as they are to keep the act of hacking as easy and profitable as it is today.

So, as you can see, the challenge of solving cybersecurity was (comparatively) easy. The far bigger challenge lying ahead of us will be solving for Afghan poppies and high-heeled shoes.

Thanks,

F. Scott Deaver

2017-08-30T07:11:12+00:00August 30th, 2017|

More silliness on the cybersecurity front – USB flash drives

Will this idiocy never stop?!? First, Blue Cross and Blue Shield (and apparently, other insurance companies) are sending out USB devices en masse and telling people to put those USB sticks into their devices…. Which means all a hacker has to do  now is send out similar notices with his own malware on cheap USB drives to infect any computer he/she wishes. I can’t BEGIN to tell you how ridiculous this is!:

https://twitter.com/og_tjg/status/884756210267893761

Next, because of all the numb-nuts out there doing these kinds of things, corporations are now shutting down USB ports on devices altogether:

https://community.spiceworks.com/topic/430901-usb-lockdown-thoughts-ideas

So of course, the next thing that happens is someone re-purposes the old dongle as an “identity” security device…. using the USB port (the most hackable interface on a device)!:

http://money.cnn.com/2017/07/06/technology/gadgets/yubikey-security-key/index.html

Hackers are thrilled, because they need only simulate the appearance of one of these USB “security” devices to use the USB ports now re-enabled by some corporations for “security” purposes to, again, hack any device they wish…

Just so you know, hackers can purchase custom USB flash drives in small capacities in bulk for as little as twenty-five cents or less, with another nickel for custom printing. The hard part was(!) to get people into the habit of sticking USB drives from outside sources into their devices… Thanks to the folks above, that problem has now been solved (sigh). As to how cheaply flash devices can be had:

http://www.dhgate.com/product/real-metal-mini-usb-flash-drives-128m-1g/399821475.html#s1-4-1b;srp|1034336997

To illustrate how someone could easily game their way onto any Fortune 500 company device they wish (we’ll assume for our purposes here the Fortune 500 company uses Blue Cross Blue Shield as their health insurer) , the hacker first need only to identify an employee with the access they want and then use a faked Blue Cross Blue Shield “followup” letter with an enclosed USB stick to get the employee to install the malware via that stick onto his company-issued laptop.

Thanks,

F. Scott Deaver

2017-07-12T10:16:04+00:00July 12th, 2017|

Human error…

Human error beats all cybersecurity defenses out there – except AMULETs! (we minimize human intervention)

2017-06-28T17:48:18+00:00June 28th, 2017|