Wednesday, October 18, 2017

Some significant developments in digital security this year

We have had a steady stream of bad news on the cyber security front. It is hard to keep all that straight and make sense of where it is all going.  I will attempt to summarize it here.

1) Early in the year, we heard whispers in news reports about RIS led attacks on the electoral systems in 2016. These were later confirmed by DHS officials in Congressional and Senate testimony. This is bad because it means your voter information can be modified and if your state or county uses some form of screening (they all do) to remove suspect voters from their rolls, your voting rights could be terminated.

2) In February of this year, the first SHA-1 collision was calculated. SHA-1 (and similar protocols) are used to sign documents over the internet. These protocols were thought to be unbreakable, but it was found that this is not actually true. Since document signing is at the core of all software updates to your personal devices (mobile, computer etc...) the detection of a SHA-1 collision has massive impact on the apparent security of digital information. While advanced protocols are being used in place of SHA-1, the idea that these may not be as secure as imagined is quite frightening.

3) Last year, there were rumors that Kaspersky AV was penetrated by RIS backed hackers. The rumors have now been reported in the lay press as being sourced to Israel intelligence. Apparently Israeli intelligence penetrated Kaspersky and found out that RIS was using the AV software to open backdoors into every computer on that used it.

4) The credit reporting service Equifax was hacked and the personal information (address, SSN, DOB) etc... of 143 million US residents was compromised. This is the digital equivalent of a Pearl Harbor, but no one seems to have quite figured that out yet. As people went to look at the Equifax site and report incidents of fraud, they were greeted by a large number of fake flash updates. The malware attempted to pass itself off as a Equifax product that customers should install on their computers.

5) WPA2 - a protocol used to secure WiFi communications critical to the functioning of mobile and IoT devices was determined to have a massive vulnerability in it. This is collectively called the "Krack Attack". No patches are available as of today for this. We are flying on a wing and a prayer here.

6) The NSA TAO's tool kit allegedly leaked out on to the internet early this year. The NSA detected a loss of these tools and informed various vendors to patch their breaches but it is unclear how effective the patches have been at containing the threat.

7) Yahoo finally admitted that something like 3 Billion of its accounts had been compromised in a security breach last year. The timing of this admission is important, it suggests something more than the usual level of incompetence is at play.

8) MSFT informed us yesterday that their main server containing information about bugs and hacking attempts/malware was breached about four years ago. Again - it is the timing of this admission that I feel reflects a growing sense of insecurity in MSFT.

9) (Thanks Kevin T). Deloitte was hacked and information pertaining to many government clients was accessed. We know very little about this. This is bad as Deloitte usually performs sensitive accounting services for a variety of big companies. Apparently Deloitte did not have MFA implemented on one of its admin accounts.

I feel two things are still somewhat viable

1) MFA - Multi Factor Authentication - this can get expensive but it may be the only way to secure critical information.

2) PGP - As this is based on the still NP -Hard prime factorization and random key generation problem, it is hoped that separate transmission of encrypted key and data will ensure good security.

That said all the breaches described above reduce the barrier to impersonation attacks.

Neither MFA nor PGP are secure against impersonation.


At 9:46 AM, Blogger kevin torgrimson said...

I love the pearl harbour reference, very true about the seriousness of these attacks. I think it’s also prudent to point out the cyber attack on a big 4 accounting firm (Deloitte) that apparently went unnoticed for months. A company recently named a global leader in cyber security consulting by Kennedy Consulting Research and Advisory, a leading analyst firm.
There is a gaping hole in the henhouse and foxes everywhere...

At 11:20 AM, Blogger maverick said...

Wow!! I totally missed the Deloitte attack.

(smacking forehead) will add that to the post.



Post a Comment

<< Home