Encryption still resides outside the constraints of formal regulation. NIST has guidelines, the internet has HTTPS and enterprises have best practices. However, when a database hosting nearly 60,000 payment records lays unencrypted for months, or a major consumer tech company uses encryption that was deemed unacceptable four years ago, we may wonder at the lack of awareness around deploying strong encryption. One agency that has zero room for error in the encryption battle is the federal government, who plans to embed encrypted tech in the uniforms of US soldiers, and we see Mozilla take matters into their own hands as they attempt to stymie DNS attacks.
The first time it was 40-bit encryption. Then it was 80-bit. It should have been exponentially harder to crack—instead it only took twice as long.
A bug in the encryption of the Pektron-made Model S key fob allowed the coding to be spliced as two 40-bit keys, instead of one 80-bit one. So instead of taking around two seconds to breach, it now takes about four. Just enough time to look twice as your $75K hits the road.
A little over 12 months ago, Belgian researcher Lennert Wouters and his team discovered a way to compromise the encryption on the previous Model S fob, with the help of some non-elite radio equipment. Tesla replaced the fobs, repaired the glitch, and then experienced the same problem again this year.
Although pushing out the fix wirelessly to the affected fobs this time—an industry first and “pretty cool” solve according to Wouters—the strength of Tesla’s 80-bit encryption might still not be enough. Even if it did work.
Back in 2013, The National Institute of Standards and Technology [NIST] issued an injunctive to phase out all 80-bit encryption within two years. In the 2015 NIST guidelines, they reiterated “the use of keys that provide less than 112 bits of security strength for key agreement is now disallowed.”
With quantum computing prowling around our current cryptography, even 112-bit keys could soon be rendered obsolete. Since there is no regulating body to enforce NIST guidelines, it falls on each enterprise to secure their trade secrets and our tech investments. More reason to care that our key fobs, smart cars, spaceships—employ proper encryption standards now.
- Is Mobile Encryption Really an Urgent Public Safety Issue?
- FBI’s Inability to Access Texas Shooter’s Phone Raises Old Questions about Encryption
- Using Cryptographic Keys to Steal Cars Remotely: Uncovering Vulnerabilities in Hyundai’s Mobile App
How secure is your encryption? It might be safe. How secure would your encryption be if your life depended on it? Probably a lot safer.
A New Day for Cyber Warfare
The US army is inserting encrypted tech in the uniforms of US soldiers, now literally wearing the cyber war on their sleeves. The quarter-sized chip will receive drone feeds, sync up to tracking whereabouts and host other military communications directly from base to ground. The potentials are enormous, but it also puts a tantalizing bounty on these military entry points—wearable chips, smart goggles, embedded sensors and wireless communication links.
A Dangerous Responsibility
To combat expected cyber offensives, independent agencies like Encrypted Sensors are looking for innovative solves that could militarize status-quo encryption. Field Programmable Gate Array (FPGA) technology inserts pre-programmed chips directly into the hardware, circumventing the need for software or CPU control to encrypt.
Another solution is to go a non-math route. Hacking methods employ computing powers designed to crack the formulas of large data chunks. By inserting random words, letters and symbols at certain “cut points” in the data, Encrypted Sensors found a way to disrupt the hackable chunks and throw a creative curveball at binary minded machines. This may also put it in the blind spot of quantum crackers, at least for now. “It is not algebraic” explains CEO Pat Hull.
The cyber war is translating into human costs in an ever more intimate way, and military grade encryption needs to be impenetrable from the inside out. When cybersecurity equals mortality, cryptography can’t afford to be anything other than bulletproof.
- Encryption Backdoors and Federal Cybersecurity Posture
- Federal PKI Security Challenges: Are You Doing Enough to Protect Machine Identities?
- Federal PKI Security Challenges: Extending IDaaS with Certificate as a Service
Mid-blow in the encryption backdoor debate, another latent encryption thread might have caught fire—DNS versus DoH, and why it matters, and to whom.
After 35 years, internet security is getting a facelift, and the work is being done by DNS over HTTPS, or DoH. Mozilla Firefox decided to move forward with plans to oust DNS in favor of DoH, with an opt-out for stalwarts. The change will be phased in gradually and pending success in a small-number beta will be implemented browser wide. So why the concern, and what can DoH do that DNS doesn’t?
DNS (or the Domain Name System of the internet) operates as the “phonebook of the internet”. A series of digital (metaphorical) file cabinets and drawers are used to house locations of specific IP addresses and other identifiers, allowing us to access websites. According to Netsparker, “Back in 1983, when DNS [had] just been invented, DNS requests and responses were sent over the internet in clear text, and they still are.” DNS has never received a full security upgrade; a walking liability and one which HTTPS has tried to remedy.
Simply put, DoH works by encrypting web addresses and bypassing local Internet Service Providers (ISPs) to send the encrypted data directly to central nameservers—likely controlled by browser owners—to ensure the safety of the encrypted traffic. This sounds sanguine, but the discussion begs a few privacy and technical tradeoffs, which we will be following as the debate continues. For now, one interesting concession is that child-safe browsing and parental guard features (services of bypassed ISPs) will become moot.
Hence the opt-out option.
- Sea Turtle Takes Advantage of DNS’ Weak Security for Nation-State Attacks
- U.S. Department of Homeland Security Issues Emergency Directive on DNS Hijacking Attacks
- What is Session Hijacking?
It’s safe to assume that we all assume our "should-be-safe" transactions, are. Who wouldn’t protect my credit card information? However, as we’re finding out, it is increasingly common to have major, glaring glitches in encryption where the fence wasn’t breached—because it wasn’t put up in the first place.
An entire database bursting with 161 million consumer records (58,000 of which contained payment data) lay vulnerable at MoviePass until Mossab Hussein from Dubai-based cybersecurity firm SpiderSilk discovered it. Those 58,000 consumer credit cards languished on a publicly accessible database for months, completely exposed to attack, manipulation or use in phishing campaigns. Luckily, a white hat found it first, but our payment information should be protected by a lot more than luck.
Ironically, what that open-box data base was storing were human usernames and passwords. The industry for human identity protection ranges in the billions of dollars annually – unfortunately, machine identity protection (what could have secured those human identities) doesn’t garner nearly as much attention.
The Goose that Guards the Golden Eggs
With the average breach costing almost 4 billion dollars, it might be time to invest in protecting the goose that guards the golden eggs.