We’d love to put ourselves out of a job and not have any more breaches, bungles or bad actors to report on. But until we all have secure cyber strategies and capable machine identity management, we’re happy to raise the warning voice to help us all encrypt safely. A Capital One breach shakeout shows how status quo encryption may no longer be enough, and we’ve got a few airplanes and lava lamps thrown in. Plus, why the Bahamas should turn a special eye to government cybersecurity—now—and how Uganda’s government is probably misusing theirs.
As we report yet another casualty in the ongoing cyber war, we go back to the scene of the crime to try to unpick which cryptographic protections were (or were not) in place leading up to the Capital One breach.
"the encryption strategy, whatever it was, wasn't up to par"
The simple answer is one of two things: failing to use strong enough encryption or failing to properly store the decryption keys. The simplest answer is the encryption strategy, whatever it was, wasn’t up to par. Many times, this can be due to a certificate-related outage essentially “knocking out the power” on one part of the crypto-electric fence and allowing hackers a temporary pass-through. This is not uncommon.
It took a 33 year old female hacker to game the system
Full details remain unclear, but however it was carried out, it took a 33-year-old female hacker to game the cybersecurity posture of this major US bank. Previously a systems engineer at Amazon Web Services (which hosted the Capital One account), she was knowledgeable, but no professional hacker. She exfiltrated millions of users’ records, then chatted about the haul online. Not interested in the cache, she left a link on GitHub and stated she “didn’t want it around.”
Whoever might have gotten to the private stash of data in the three months it was posted is still an uncomfortable thought.
It’s not that companies don’t encrypt. Capital One stated that encryption for them is a “standard”, but that the hacker had found a way to “decrypt” the data.
Extra: A data breach affects your bottom line. It’s estimated the debacle will cost up to $150M in the early stages.
- Marriott Data Breach: 500 Million Reasons Why It’s Critical to Protect Machine Identities
- Can Encryption Save Execs from Blame in Breaches? [Ask InfoSec Pros]
- 7 Data Breaches Caused by Human Error: Did Encryption Play a Role?
One airplane security enthusiast’s Google search lead him to find flaws in encryption that could potentially crash your party.
After downloading publicly available flight coding (who knew?) for a couple of Boeing commercial jets, security researcher Ruben Santamarta did some digging and discovered a few areas of weak encryption that could cause some industry turbulence. Left unchecked, those flaws could be jockeyed by bad actors to infiltrate anything from in-flight movies to mission-critical flight sensors.
"Those flaws could be jockeyed to infiltrate movies to mission-critical flight sensors"
The findings were presented at Black Hat 2019. Codemaker Honeywell vetted the vulnerabilities and inconclusive evidence of fatal capabilities prompted Boeing’s statement that “Boeing is confident that its airplanes are safe from cyberattack.”
However, “the flaws uncovered in the 787's code nonetheless represent a troubling lack of attention to cybersecurity.” This isn’t the first time Samartana has uncovered encryption flaws in flight. He's punched holes in a few lines of aviation code before, but his findings were classified as “technical errors.”
Is it time TSA issue a pat-down on aviation cryptography?
Bullet-Proof Code: What to do to make sure your (or your airline’s) code hasn’t been fiddled with? Well, you could rent a $250M jet and run the tests yourself, or you could sign your code. What is code signing? It’s a notarized signature, if you will, signifying that once you’ve touched it, nobody else has.
See how Venafi signs their code – and get what they use
- Can Code Signing Be Both Fast and Secure? Guess We’ll Find Out
- Your Smart TV Might Be Susceptible to Mind-Control [Encryption Digest 8]
- Next Gen Code Signing Takes Machine Identity Management to the Next Level
A Wall Street Journal report uncovered allegations of them using cell networks, local politics and overseas training to aid the Ugandan government in spying on its political foes. In what were apparently top-level surveillance courses, African intelligence operatives were coached on how to bypass encrypted chats and locate government officials through the Huawei network.
Huawei taught African government agents to bypass encrypted chats
In an ironic twist of trade, French publication Le Monde reported that the Chinese government had been using those same tactics to spy on African leaders themselves, and potentially tens of millions of their citizens. According to the article, microphones and other cyber espionage tools were found in an African Union building sweep by Ethiopian cybersecurity experts, assumed to be planted by Chinese entities contracted to install the in-office tech. The AU will now configure its own servers and run official communications via wire, not wi-fi.
Huawei: "We didn't do it"
Said Huawei, “Our internal investigation shows clearly that Huawei and its employees have not been engaged in any of the activities alleged.”
That’s a relief.
- Lethal Apps, Contraband Huawei and A Door that Unlocks Itself [Encryption Digest 7]
- Huawei | Battle of the Backdoors in Networking Infrastructure: Intentional vs. Incidental
- Mozilla and Google Come Down on the Side of Privacy [DarkMatter]
Forget the timeshare. All the Bahamians want is a chance to trade bonds online.
“We are getting ready to list over 200 government bonds, which (at the time of press) represents the entire portfolio of outstanding securities going back to 1999” announced Deputy Prime Minister and Minister of Finance, Peter Turnquest.
Keeping pace with the digital transformation, they are set to modernize and transition to a paperless registry, using digital certificates for government bonds and ushering in electronic trading for state securities.
Bahamian cybersecurity is now really - really - important
Now it is more important than ever to ensure a strong cryptographic posture and agile machine identity management strategy, especially across government data stores. We all know what happens to resulting market shares when entities don’t, and we’re wishing the Bahamas all the best on this one.
Know your Acronyms: The Bahamas Government Registered Stocks (BGRS) are going to be listed on the Bahamas International Securities Exchange (BISX). In the process, they will be launching the Bahamas Government Registered Stock Depository (BGSD). That’s no BS, straight from the BS (Bahamas).