What happens in a world without encryption, and the proper ethics that go with it? This week we’ll investigate how fragile our system of trust is in a world where we protect against hacks, then hack to protect.
With the means at our disposal—and any lapse in principles—your television could be remote controlled by your neighbor’s drone, a simple pentest of your organization’s defenses could get ugly, and private transportation information from Brazil could end up on a malware site.
And, in an admittedly worst-case scenario, democracy could be challenged by any lapse in voting security. The importance of good encryption and the ethics to match, all in this week’s Encryption Digest.
What’s the difference between a pentest and a data compromise? Lately, those terms have not been mutually exclusive.
Just last week, Blackberry announced Brazil’s civilian air-traffic control details were found on a public malware repository. Their report, Thin Red Line – Penetration Testing Practices Examined, calls into question many practices common to pentesters, and scrutinizes many well-known companies seeking to plant their flag in the field.
Penetration testing, or ethical hacking, is a way of proving the secureness of various encrypted systems in the hopes of catching vulnerabilities before an attacker does. Nothing is off limits; cross-site scripting, hash cracking, busting down backdoors.
After reaching elbow-deep into the data, Kevin Livelli, Director of Threat Intelligence at BlackBerry® Cylance®, surfaces to report: “[M]any of our findings are uncomfortable.”
We may have discovered the most convoluted way to share Netflix accounts.
Remember that remote insulin shot that remained unencrypted, leaving it open for hackers to swipe the radio frequency and inject shots of their own? Well, apparently, we’re still not doing enough to secure the airwaves. At Defcon last week, security researcher Pedro Cabrera noted the ease with which someone could override the television frequency of an unencrypted TV connection and broadcast their own channel instead.
Far from a chance at stardom, he predicts these will be used for social engineering attacks—say, the phishiness of a scam email meets an unassuming pay-per-view lookalike.
"No one expects to have this kind of social engineering attack on their smart TV," he says.
Well, not before now.
Like you were there: At Defcon, Cabrera demonstrated the attack by broadcasting a signal from a hovering drone equipped with a software-defined radio. But he adds, "If I want to target my neighbor, the easiest way is with an amplifier and a directional antenna...then for sure my signal will be received.” Good to know.
Best. Voting Machine. Ever.
Or so we hope. Darpa, the government’s crack squad of science tech [Defense Advanced Research Project Agency] poured $10 million dollars into developing an uncrackable voting machine. Did it work? Well, they unleashed the best of Defcon on it this past weekend to find out. At the Voting Village, scores of would-be-hackers took their best shot at breaching the impenetrable beast.
“All of this is here for people to poke at,” says principle researcher Dan Zimmerman of Galois, verifiable systems firm in charge of creation. “I don’t think anyone has found any bugs or issues yet, but we want people to find things.”
The encryption was strong with this one, as we have it on good information that no one was able to find anything - but the opportunities are still out there. Darpa’s voting machine will be taking a two-year university tour to discover the weak link that could bring it down.
Food for thought: There’s a sort of unspoken ethics in the hacking community, especially with community-good efforts like this one. We all want a safer voting machine...don’t we? Or does the public tour increase attack vectors by potentially trusting intimate voting machine knowledge to the wrong hands? Leave your thoughts in the comments below.
Last week Pravid Kothari, founder of CipherCloud, came out against corporate lethargy when it comes to secure data encryption.
“Companies will have to begin to weigh the risk and reward of doing the minimum and stepping up to a strong encryption and tokenization techniques... In these times, a business cannot stick their head in the sand and do nothing.”
If you haven’t secured your number one machine identity assets, you may want to do so now. Still on the fence? We’ll let Pravid preach.
Reasons to care about encrypting your cash cow:
And a data breach for your business in the future? Pravid says it’s “assumed”.