Sooz
17th October 2014, 06:48
Hi All,
Thought some here might be interested in this, re cyber security. 'The Black Hat' conference is in Amsterdam right now and Sam Volkering is there covering it.
Very interesting information. There are some interesting links at the bottom which you will NOT be able to click on, re 'Colonisation of Mars' - will post that separately.
Cracking the ‘Holy Grail’ of Cyber Security
October 17th 2014, by Sam Volkering, London, UK
In today’s Tech Insider...the hackers of yesteryear...the Holy Grail of cryptoanalysis...the world’s biggest security flaw no one knows about...and more...
During the 1800s lock companies would run competitions for anyone who could pick their lock. Companies would boast how secure their locks were. The companies with ‘unpickable’ locks would get all the business.
Famously, in 1818, the Chubb brothers patented the detector lock. The detector lock was also allegedly ‘unpickable’. And for many years it remained so.
Numerous people tried to crack the Chubb lock. For anyone who could crack it, a sizable reward was on offer. It was 33 years before a man, Alfred Charles Hobbs, was able to crack it. Once Hobbs cracked it, the Chubb brothers redesigned the lock.
That’s how it works in security. You try to make something secure, and then you try to break it. If it breaks, you figure out why, and then make it better. It’s an endless cycle. And it’s big business. That was true in the 1800s, and it’s even bigger business today.
Many of the attendees at BlackHat would have been lock pickers or safe crackers back in the 1800s. Today we call them hackers. Their job in many cases is to pick apart digital security. They find the flaws, pick the digital locks and then security companies make it better, stronger...and the cycle repeats.
As I walk around BlackHat, I’m surrounded by these digital safe crackers. There are cryptographic experts, pioneers of computer science, researchers and scientists. Many of them write code faster than I can write the English language.
And the members of this far flung community have all gathered here in Amsterdam to share the secrets of their trade. The information that I’m learning so far is nothing short of fascinating...albeit often terrifying.
The Holy Grail
The first day of briefings began with a keynote presentation from Adi Shamir. You’ve probably never heard of Adi before, but he’s a pioneer in cryptographic systems.
He co-invented the RSA algorithm. The RSA algorithm is a 4096-bit encryption. It’s regarded as the world’s most secure encryption algorithms.
The ‘S’ in RSA stands for Shamir. Although you might not know Shamir, you might know RSA, because they invented these...
Source: BusinessWeek
In the last few years, RSA tokens have proven to be hackable. Interestingly, it was Shamir who figured out how to crack it. Even more interesting is how Shamir and others broke the algorithm. They figured out how to break it by listening to the sounds a computer makes when running the algorithm.
As fascinating as that is, it’s not the peak of Shamir’s research. Today at BlackHat, Shamir showed the audience what he’s been working on lately.
I’ve written to you before about security problems in the connected world. A connected device is inherently vulnerable to hackers. What’s the best way to protect your device from online crooks? Take it offline.
A ‘disconnected’ computer is effectively known as an ‘air gap’. If your computer isn’t connected to the internet (or any network) then you simply can’t break into it without physically being right next to it...or can you? Shamir has been working on what he calls the ‘Holy Grail of cryptoanalysis’. In other words, he’s been trying to figure out how to hack an air gap computer. When you want the most extreme security for the contents of a computer, you create an air gap. You take the computer offline and off network. Some of the world’s biggest secrets exist on air gap computers for this reason.
However, to get those secrets into the computer, you often have to scan documents into it. And for that you typically need an all-in-one printer-copier-scanner.
The printer isn’t on the network or online in any way either. It does, however, have one connection: to the air gap computer. Shamir has figured out a way to use light to hack information on the air gap computer through the printer.
By shining a light onto the scanning surface, he can activate malware within the air gap computer. It’s actually like sending Morse code to the computer to activate a command. He can do this up close with a flashlight, or he can do it far away with a high power infrared laser. For example, one series of light flashes can send the command ‘get file Top_Secret.pdf’. This then retrieves the file and he can then extract the information, much in the same way it went in.
What’s even more exciting (and scary) is the distance from which he can do it all. In his demonstration, Shamir shined a high power laser from 200m, 500m and 1.2km onto an all-in-one printer connected to an air gap computer. The printer was located inside a fifth story office in a building in Israel, which is home to some of the world’s biggest computer companies.
Of course, I’ve dumbed down a lot of the details of Shamir’s research. And admittedly, he hasn’t perfected the system yet. He’s the first to admit that a key component is to get a well-hidden piece of malware onto the air gap computer to begin with. That itself is a hard thing to do. Another issue is that you need to get light to a connected printer. This is possible even with the printer lid closed, but still difficult.
Of course, you can combat this all by keeping the air gap computer in a windowless room in the depths of a highly secure basement. That’s probably what the NSA does with their air gap computers. But it’s probably fair to say there are lots of corporations with air gap computers that don’t go to those lengths. In fact, the example Shamir demonstrated was a real life scenario.
In the big scheme of things, nothing is truly safe. Until today, I thought only connected networks were vulnerable. Now I know that the entire digital world is vulnerable. Anything digital anywhere is ‘pickable’. What can we do about it? This is a question I’m looking into now. I spoke with some scientists and researchers today on the subject. The conversation only raised more questions and concerns. I’ll write more on that tomorrow and next week.
For now, I’m turning off my Bluetooth and WiFi. But if I really wanted to protect myself, I’d turn off my cellular connection too. Why? Because we all might be carrying around with us one of the biggest security flaws the world has ever seen, which no one knows about.
I’ll tell you more Monday, but you should be worried. Very worried.
Regards,
Sam Volkering +
Editor, Tech Insider
Tech Extra
Port Philip Publishing, Melbourne, Australia
Thought some here might be interested in this, re cyber security. 'The Black Hat' conference is in Amsterdam right now and Sam Volkering is there covering it.
Very interesting information. There are some interesting links at the bottom which you will NOT be able to click on, re 'Colonisation of Mars' - will post that separately.
Cracking the ‘Holy Grail’ of Cyber Security
October 17th 2014, by Sam Volkering, London, UK
In today’s Tech Insider...the hackers of yesteryear...the Holy Grail of cryptoanalysis...the world’s biggest security flaw no one knows about...and more...
During the 1800s lock companies would run competitions for anyone who could pick their lock. Companies would boast how secure their locks were. The companies with ‘unpickable’ locks would get all the business.
Famously, in 1818, the Chubb brothers patented the detector lock. The detector lock was also allegedly ‘unpickable’. And for many years it remained so.
Numerous people tried to crack the Chubb lock. For anyone who could crack it, a sizable reward was on offer. It was 33 years before a man, Alfred Charles Hobbs, was able to crack it. Once Hobbs cracked it, the Chubb brothers redesigned the lock.
That’s how it works in security. You try to make something secure, and then you try to break it. If it breaks, you figure out why, and then make it better. It’s an endless cycle. And it’s big business. That was true in the 1800s, and it’s even bigger business today.
Many of the attendees at BlackHat would have been lock pickers or safe crackers back in the 1800s. Today we call them hackers. Their job in many cases is to pick apart digital security. They find the flaws, pick the digital locks and then security companies make it better, stronger...and the cycle repeats.
As I walk around BlackHat, I’m surrounded by these digital safe crackers. There are cryptographic experts, pioneers of computer science, researchers and scientists. Many of them write code faster than I can write the English language.
And the members of this far flung community have all gathered here in Amsterdam to share the secrets of their trade. The information that I’m learning so far is nothing short of fascinating...albeit often terrifying.
The Holy Grail
The first day of briefings began with a keynote presentation from Adi Shamir. You’ve probably never heard of Adi before, but he’s a pioneer in cryptographic systems.
He co-invented the RSA algorithm. The RSA algorithm is a 4096-bit encryption. It’s regarded as the world’s most secure encryption algorithms.
The ‘S’ in RSA stands for Shamir. Although you might not know Shamir, you might know RSA, because they invented these...
Source: BusinessWeek
In the last few years, RSA tokens have proven to be hackable. Interestingly, it was Shamir who figured out how to crack it. Even more interesting is how Shamir and others broke the algorithm. They figured out how to break it by listening to the sounds a computer makes when running the algorithm.
As fascinating as that is, it’s not the peak of Shamir’s research. Today at BlackHat, Shamir showed the audience what he’s been working on lately.
I’ve written to you before about security problems in the connected world. A connected device is inherently vulnerable to hackers. What’s the best way to protect your device from online crooks? Take it offline.
A ‘disconnected’ computer is effectively known as an ‘air gap’. If your computer isn’t connected to the internet (or any network) then you simply can’t break into it without physically being right next to it...or can you? Shamir has been working on what he calls the ‘Holy Grail of cryptoanalysis’. In other words, he’s been trying to figure out how to hack an air gap computer. When you want the most extreme security for the contents of a computer, you create an air gap. You take the computer offline and off network. Some of the world’s biggest secrets exist on air gap computers for this reason.
However, to get those secrets into the computer, you often have to scan documents into it. And for that you typically need an all-in-one printer-copier-scanner.
The printer isn’t on the network or online in any way either. It does, however, have one connection: to the air gap computer. Shamir has figured out a way to use light to hack information on the air gap computer through the printer.
By shining a light onto the scanning surface, he can activate malware within the air gap computer. It’s actually like sending Morse code to the computer to activate a command. He can do this up close with a flashlight, or he can do it far away with a high power infrared laser. For example, one series of light flashes can send the command ‘get file Top_Secret.pdf’. This then retrieves the file and he can then extract the information, much in the same way it went in.
What’s even more exciting (and scary) is the distance from which he can do it all. In his demonstration, Shamir shined a high power laser from 200m, 500m and 1.2km onto an all-in-one printer connected to an air gap computer. The printer was located inside a fifth story office in a building in Israel, which is home to some of the world’s biggest computer companies.
Of course, I’ve dumbed down a lot of the details of Shamir’s research. And admittedly, he hasn’t perfected the system yet. He’s the first to admit that a key component is to get a well-hidden piece of malware onto the air gap computer to begin with. That itself is a hard thing to do. Another issue is that you need to get light to a connected printer. This is possible even with the printer lid closed, but still difficult.
Of course, you can combat this all by keeping the air gap computer in a windowless room in the depths of a highly secure basement. That’s probably what the NSA does with their air gap computers. But it’s probably fair to say there are lots of corporations with air gap computers that don’t go to those lengths. In fact, the example Shamir demonstrated was a real life scenario.
In the big scheme of things, nothing is truly safe. Until today, I thought only connected networks were vulnerable. Now I know that the entire digital world is vulnerable. Anything digital anywhere is ‘pickable’. What can we do about it? This is a question I’m looking into now. I spoke with some scientists and researchers today on the subject. The conversation only raised more questions and concerns. I’ll write more on that tomorrow and next week.
For now, I’m turning off my Bluetooth and WiFi. But if I really wanted to protect myself, I’d turn off my cellular connection too. Why? Because we all might be carrying around with us one of the biggest security flaws the world has ever seen, which no one knows about.
I’ll tell you more Monday, but you should be worried. Very worried.
Regards,
Sam Volkering +
Editor, Tech Insider
Tech Extra
Port Philip Publishing, Melbourne, Australia