The Vault Regulars

Saturday, March 18, 2017

Cyber attacks Pt2.- an Answer.

My last post which was a general question about cyber attacks after the ABTA hack, from somebody who knows nothing about the subject.
It created a lot of blog hits but not much in the way of comments. I can only assume from this that i am not alone in lacking any sort of competence to the subject.

However, i have received an email from a person in the know. A person involved in the good side of all things shrouded in grey matter.
I have asked if the person minded if i posted the email on the blog because it explains not only the pitfalls of my initial question but also makes it clear that it is imperative to have the best security on your systems and your devices that you can have.

So i thank the person for taking the time to initially read my first post and to put such a comprehensive answer together. It makes things clearer if still a bit scary.
Here is the email in full.
----------------

It's good to be questioning everything when it comes to security*.

The short, glib, response to this query is that there is no such thing as an absolutely secure device if it is connected to the outside world. Perhaps not even then (as suggested by leaks and rumours about the NSA's capabilities.)


The ABTA attack appears to be relatively minor (I can say that, I'm not one of the 43,000 customers!) and on the face of it their website *might* have an increased "attack surface" due to the number of plugins and modules that are used to provide different bits of functionality on the site.  I say might because it would take a detailed analysis to say for certain.  The developers of the ABTA site probably considered themselves to be better placed than many websites because they aren't (well, don't appear to be) using one of the more popular website systems.  


The popular systems are popular because they are easy to use, thus lowering the barrier to entry for anyone to have a good looking site.  "It's simple.  I'll just grab this plugin for this function from here, that plugin from over there lets me have fancy emojis, and everything will be fine." Security can be a problem in these systems because of that popularity as most people do not put any thought into security (including some plugin developers) and users and administrators often choose weak or default passwords.  I have not looked into the cause of the ABTA breach so I am not suggesting that these particular attack vectors were used in this instance.  Website security is an ongoing process of adapting to known weaknesses and attack vectors.


Turning to the query in focus here, I am not sure what you mean by:


I got to thinking that if the software company provides "parcels of encrypted data" that can be given to individual customers when they decide to sign up with the organisation, the customer can then add data into specified blank areas which will then make that parcel a unique gateway.

So, if the main organisation is hacked then the amount of gateways opened would be minor in comparison to 43,000.


It sounds like you are suggesting the use of public key cryptography. This is a very useful and powerful way to secure personal data. 

Essentially every customer would create (or already possess) a pair of encryption keys.  These are known as the private key (which is retained and never published by the "customer") and the public key (the public keys are generally published somewhere).  

When Trump wants to send a message to Putin that he wants to ensure only Putin can read, he encrypts his message with the PUBLIC key of Putin. Putin then uses his PRIVATE key to decrypt the data or message.  Similarly when Putin replies he will encrypt his response using Trump's PUBLIC key. (This is of course a fanciful and probably theoretical example.)

This page explains it well: https://www.comodo.com/resources/small-business/digital-certtrmrificates2.php

It's an excellent system but the overheads in training people how to use it properly, and the time it takes to encrypt/decrypt data, means that Mr Joe Citizen probably won't understand it or will very quickly decide that it's simply not worth the effort.

This is particularly so if such a system were to be implemented on a website - the computational power required for encrypting and decrypting is relatively large and the cost of doing something like this can be very significant. By way of example, law enforcement and intelligence agencies, and even data recovery companies, sometimes use hundreds of computers linked together to help crack document passwords which are significantly easier to crack than public key encryption.  The larger agencies utilise supercomputers and purpose-built systems for this purpose. 

Implementing public key encryption on a "normal" business website is not practical with current technology unfortunately.  The risks in an increasingly online and interconnected world are significant but so are the benefits.  From the end-users perspective, the best security advice is to try to only deal with reputable websites that implement *appropriate* security,  to use strong and unique passwords for each website (yes, easier said than done) and to ensure their own device and network are protected.  Administrators and developers have an obligation (in my opinion) to keep abreast of security developments.

*If you're in a corporate environment be mindful that you have likely agreed to not test security!  

Suggested reading:

Troy Hunt's excellent website: https://haveibeenpwned.com/ 
Public key encryption: https://www.comodo.com/resources/small-business/digital-certtrmrificates2.php
Top ten website application risks: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

No comments:

Find it Here