Cryptography May Not Be Dead, But It Is on Life Support

Cindy and I had the good fortune of attending part of the Real World Cryptography Workshop held last week in New York City. We went primarily to listen to Bruce...
Michael Buckbee
4 min read
Last updated October 21, 2021

Cindy and I had the good fortune of attending part of the Real World Cryptography Workshop held last week in New York City. We went primarily to listen to Bruce Schneier discuss the implications of the Snowden documents. But we quickly learned from others sessions that there was an underlying context to this conference.  Over the last year, cryptography and data security have been completely shaken by malware, and specifically advanced persistent threats or APTs, leading some to say or at least imply that cryptography is dead.

If not dead, it’s at least been seriously wounded. About a year ago, Adi Shamir—the S in RSA—caused something of a controversy when he said that we should be “preparing for a post-cryptography world” and that “cryptography is becoming less important.” His argument—and it’s a good one—rested on APT’s power to watch everything in a system and thereby violate the core assumption that private keys and the rest of the crypto internals are unavailable to hackers.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

Security and IT security pros shouldn’t panic just yet.

A counter-argument to Shamir is that we’ve aided and abetted cyber criminals and governments through bad implementations of parts of the security stack— SSL, for example—and just basic neglect. So we can still get more out of the current security technology, but we have to be smarter about it. And there’s some advanced ideas—centered on something called multi-party computation—that in theory will bring new life to crypto.

I came away from Schneier’s presentation with two key points. One, we can expect some of the techniques used by the NSA to eventually filter down to ordinary hackers. For example, packet injection secretly redirects a target to a spoofed site, but requires a privileged position—which the NSA has—on the Internet backbone to be done reliably. Schneier believes we will see wider use of packet injection and other man-on-the-side attacks by private players. Two, we have to make it economically harder for any attacker to gain access to data. Schneier was referring to the fact that large parts of the Internet are easy game for anyone with the right tools and techniques—loosely speaking the backbone and its servers but also endpoint devices and apps have minimal or no encryption or other security as a default.

In listening to Schneier, I began to think less about government intelligence operations and more about what sophisticated hackers (and they’re out there) will be doing to get their hands on corporate data in the coming years. His message then becomes a familiar one, at least to Metadata Era readers: we won’t be able to entirely keep out cyber thieves, so we need to build a second line of defense. Widespread encryption may be cumbersome in a corporate environment where the goal is to get employees to collaborate and share.  However, we can make it much more time-consuming for hackers to find the high-value data.

And this is where knowing where your data is and who owns it is a powerful counter-measure. You can prevent bulk-collection of PIIs and other sensitive data by making sure it’s not found in easily accessible shared folders with loose permissions. And you can have in place real-time monitoring of user activity to spot and stop a breach in progress.

Enough from me. We’ve gone through the transcripts of Schneier’s presentation and picked out our favorite quotes:

 “Most of how the NSA deals with cryptography is by getting around it … They exploit bad implementations—we have lots of those. They exploit default or weak keys—we have even more of those.”

We know that QUANTUM packet injection is how the great firewall of China works. We see some of these techniques used in Syria. And this is the fundamental harm. When I talk about the harms of NSA, this is what I talk about. The harm is that we have an internet insecure for everyone, the loss of trust in protocols, and the loss of trust in government institutions.”  

“We know that technology democratizes. Today’s secret NSA program, becomes tomorrow’s PhD thesis, becomes the next day’s hacker tool.”

“The goal is not to secure against targeted collection, but secure against bulk collection.   Simply encrypting stuff on the Internet… the more on the backbone we encrypt, the better we’ll do.  QUANTUM works because the packets are unencrypted. Ubiquitous encryption will do a lot.”

We all know about the sabotaging of cell phone telephony standards … That came out in a Norwegian paper. There is the deliberate insertion of backdoors.”

“This is of course aided by the fact that we live in the information age. Everything we do is done with computers. Computers produce data. Moore’s law makes it really easy to save and to use. We’re creating data throughout our lives and it’s being collected.” 

“Endpoint security is so terrifically weak that the NSA can find ways around it. The math works once we put in systems and products, that’s when the vulnerabilities disappear.”

“Another thing we haven’t seen a lot of are the analysis tools and we will see more. We saw some good examples in the Washington Post story on location data. They did some really neat stuff with the database of cell phone location.  They had a system that looked for phones moving towards each other, turned off and then turned on when they are turning away from each other. Looking for secret meetings.  They were able to track the phone of US agents and look for phones of people who were vaguely following them—looking for tails.”

“A secure Internet is in everybody’s best interest.”

“We certainly need—as Jerry Kang  at UCLA talks about—data guardians, which are entities with fiduciary responsibilities for our data. We need to start thinking about the fact that our data is part of ourselves and is not controlled by us.  And a lot our laws about protection are really approximate–our homes, our cars, our bodies–and they  don’t apply when pieces of ourselves are remote.”

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

the-vulnerability-of-things---ioss-21
The Vulnerability of Things - IOSS 21
We were thrilled when Pen Testing veteran, Ken Munro joined our show to discuss the vulnerabilities of things. In this episode, Ken reveals the potential security risks in a multitude of IoT devices...
overheard:-
Overheard: "IT security has nothing to learn from the Mirai attack”
After my post last week on the great Mirai Internet takedown of 2016, I received some email in response. One of the themes in the feedback was, roughly, that ‘Mirai...
the-mirai-botnet-attack-and-revenge-of-the-internet-of-things
The Mirai Botnet Attack and Revenge of the Internet of Things
Once upon a time in early 2016, we were talking with pen tester Ken Munro about the security of IoT gadgetry — everything from wireless doorbells to coffee makers and...
data-security-2017:-we’re-all-hacked
Data Security 2017: We’re All Hacked
Remember more innocent times back in early 2017? Before Petya, WannaCry, leaked NSA vulnerabilities, Equifax, and Uber, the state of data security was anything but rosy, but I suppose there...