Quantum Computing’s Impact on Cyber Security

With more and more technological advancements every day, our vision of quantum computing is turning more into a reality than a theory. Companies like IBM and Microsoft are accelerating forward and becoming closer than ever to build the first fully functioning quantum computer. Seemingly on the edge of an almost quantum revolution, it’s important to ask questions about how integral parts of our lives like cyber security will be affected by this change.

First, let’s understand what quantum computing is. Comparing it to modern computing, which relies on discrete values of a bit being either a 0 or a 1, quantum computing would allow both of these possibilities to exist simultaneously in something called qubits, and these values only truly form when they are observed. This allows quantum computers to handle operations and equations at speeds that are exponentially higher than what we are used to in modern computers and their energy costs are far less.

How does this effect today’s security? Many of today’s security systems rely on cryptography, this is because normal computers struggle at factoring large numbers. This means that cryptography based on factoring numbers would be a safe bet against our technology today, but with the introduction of quantum computing, these practices would be useless. This isn’t the end of cryptography though because there are some approaches in use today that will be safe against the power of a quantum computer. That doesn’t mean that important companies and governments are using them though, and if quantum computing is to take off faster than anticipated they could run into some trouble. Other security strategies that are used today, like two-factor authentication, will still be just as effective after the introduction of quantum computing, due to multiple steps being taken by the person to log into a system.

Tomorrow’s security will be something almost unfathomable with quantum-based security implementations. Techniques like theoretically unbreakable cryptography, encrypting data to stop working if anyone attempts to uncover them and guaranteeing a safe passage to send data no matter what attacks are being used against it can all be potentially achieved with quantum computing. It’s not all positive though because with the power to develop secure techniques comes the power to exploit older strategies. An almost quantum arms race has begun between intelligence agencies and this is because the first agency to gain access to quantum computing power will have an incredible edge over all other counties.

Although quantum computers may never be a household item, their impact in the world will definitely be historical. While many of their advancements will benefit society and the internet infrastructure as we know it, it is still important to make sure what the world is ready for a step this large.

-Jeremy McGrath

Sources:

https://www.technative.io/how-will-quantum-computing-impact-cyber-security/

https://www.nasdaq.com/article/quantum-computing-what-it-is-and-who-the-major-players-are-cm939998

 

Advertisements

‘Gray Hat’ Hackers Can Be Good

With the internet becoming available on just about any device one can get their hands on, the incidents of hacking can rapidly increase. Smartphones and computers have been the main devices being hacked by cyberhackers before the internet has quickly become available in other machines and technologies. The vision of the future is seen with flying cars and robots, but these things would have to be connected to the internet to function. If any of these things in the future are connected to the internet, then cyberhackers will have more options of technologies to hack. Devices and machines, like cars, coffee makers, and thermostats were once not apart of the internet and that was a beneficial thing in society. But, vast new forms of technology and electronics that were once around as another form, are now more modern with today’s devices that are connected to the internet. We can easily access our cars, televisions, and thermostats with our cell phones now since they are all connected online. These new ways of interacting with electronics may seem fascinating to many in society but they don’t realize that this only gives hackers more opportunities to hack innocent people and businesses.

In the article, a famous hacker and former cybercriminal, Samy Kamkar, helped demonstrate how easy it is for hackers to gain access to other people’s electronic property, by hacking into a car. First of all, Samy is a “gray hat” hacker, meaning he is a good and bad hacker that hacks into devices to search for its weak vulnerabilities only to share with others his findings so they can patch up those weaknesses. Coming from a cybercriminal to a hacker who helps the world with hacking, just shows how much we might need to rely more on people like Samy. The world is becoming more connected through the internet with normal appliances used by people every day, to being used by hackers as cyberweapons and a new way to gain access to a victim’s wallet. Samy was able to use his own gadgets to hack into a random smart car by duplicating the connection with car’s actual key with Samy’s gadgets to be able to unlock the car. Samy showed that we aren’t taking our security as seriously as we should be. People often have weak passwords that they usually use for more than one of their accounts and devices that create a greater advantage for cyberhackers. I believe the world needs more good “gray hat” hackers like Samy Kamkar that can help teach and show others where there are weak vulnerabilities in smart appliances and devices. The more vulnerabilities that are fixed, the less hacking we will hopefully have in the world.

Image result for gray hat hacker  Related image

Sources: https://www.npr.org/sections/alltechconsidered/2018/02/23/583682220/this-gray-hat-hacker-breaks-into-your-car-to-prove-a-point

https://es.paperblog.com/samy-kamkar-hacker-piratear-es-positivo-la-necesidad-de-entender-al-hacker-para-estar-protegidos-3567883/

http://96eb74f3955cce95f97e138c47dfde41.blogspot.com/2015/03/grey-hat-hackers.html

-Matt Aiguier

Trustico Servers Compromised

When you surf the web, your web browser requests and receives data from some remote server. If you are logging into a website, you would want to have your login info secure, meaning when you send that information to the remote server for verification, you don’t want the data to be in plaintext such that it can eavesdropped by someone on the network. This is where SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols come in. These protocols are used when then website you visit has HTTPS instead of HTTP, with the ‘S’ standing for “secure”.

These protocols are based on a public key and a private key. These keys separately can be thought of as half of a whole key, and the whole key can be used to determine whether the information sent or received is from a source you expect, allowing you to know the data has not been compromised by another party. This is because data encrypted using somebody’s public key can only be decrypted using the same person’t private key. Suppose you are sending data to A from B. Then B uses A’s public key to encrypt the data, and when A receives the data, A can uses its private key to decrypt the data. Therefore, it is important to keep the private key locked up and secret.

This is where companies who issue SSL certificates come in. There are various ways to encrypt the data to make it secure, and various companies claim there algorithm is more secure or meets whatever criteria required for the server’s use, including warranties, browser support, subdomains, speed, and other additional exclusive features in a package.

On March 1, a user with the Twitter handle @svblxyz has noticed that he was not able to validate his certificate issued by Trustico, a certificate re-seller, and the site was instead sending curl requests (an application used in scripts for downloading various data) as displayed in the application logs. Another user with the Twitter handle @Manawyrm revealed that it’s possible to trick the script on the server doing the curl request to use some other command, also known as code injection. The most shocking thing about that was that the application logs showed that the command was run as root (highest privilege, no restrictions), meaning that script was running as admin. Another user by the Twitter handle @ebuildy also helped reveal that the company doesn’t use proxies, meaning that it is possible to inject code that would display all of the IP address of their LAN devices.

Having a code injection vulnerability on a server is bad enough since you let anyone to essentially mess around with. Having a code injection vulnerability that allows you run things as root is even worse since you then have complete access to the server. Having all that on a server which validates SSL certificates, and you have a complete nightmare. Following the tweets, it did not take the internet long to put Trustico’s server offline. One bad thing that have happened is someone wiping all data on the server, possibly without hopes for recovery or someone installing a bunch of backdoors on their server (allowing the person to get back in even after Trustico fixed the problem).

However, the worst thing that could have happened is private keys for SSL certificates being compromised. The user by the Twitter handle @ebuildy was able to figure out that Trustico doesn’t use proxies because when using code injection to display their localhost info, the results returned their own certificate under the company’s name. This means their private key could have been compromised and anyone could use code injection to run a command see the data unencrypted if they wanted to. Anyone who sends their SSL certificates for validation would have their certificates compromised. As of now the exploit is fixed and their old certificate was revoked and replaced with a new one.

A few days before the security flaw was found, Trustico was meaning to revoke security certificates by Symantec/DigiCert. Mozilla and Chrome browsers were rejecting DigiCert certificates after misissuing of over 30,000 of them. As a result Trustico decided it was better to switch from DigiCert to Comodo. According to a statement by Trustico, “We believe the orders placed via our Symantec® account were at risk and were poorly managed. In good conscience we decided it wasn’t ideal to have any active SSL Certificates on the Symantec® systems, nor any that didn’t meet our stringent security requirements”.

After they requested DigiCert to revoke the certificates to replace them with Comodo ones, DigiCert declined to do such unless they were compromised. Trustico then proceeded to email them the private keys of the certificates, and thus compromising them, providing insight that their certificate validation tools logged private keys of certificates. According to Jeremy Rowley from DigiCert, “Trustico not has provided any details how the private key leaked or how did they acquire the keys”, now leading to skepticism on whether any stored private keys were accessed by unauthorized during the time the code inject vulnerability was present.

— Alex Baraker

 

Sources:

  1. https://www.instantssl.com/ssl-certificate-products/https.html
  2. https://info.ssl.com/faq-what-is-a-private-key/
  3. https://www.instantssl.com/ssl-certificate.html
  4. https://twitter.com/svblxyz/status/969220402768736258
  5. https://twitter.com/Manawyrm/status/969230542578348033
  6. https://twitter.com/cujanovic/status/969229397508153350
  7. https://twitter.com/ebuildy/status/969230182295982080
  8. https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/BLvabFwcJqo
  9. https://gbhackers.com/google-announces-final-distrusting-symantec-ssl-certificates/
  10. https://www.trustico.com/news/2018/symantec-revocation/certificate-replacement.php
  11. https://bitkan.com/news/topic/69234
  12. https://gbhackers.com/23000-ssl-certificates-revoked/

Hacking the Winter Olympics

The Winter Olympics, like any other sporting event that takes place around the world, is normally being hacked by cyber attackers since so many people from different countries are attending the Winter Olympics. With many visitors coming to witness the games, there’s a greater chance for hacking to take place for the reason that a lot of money and personal information will be in one location. The Olympics is taking place in Pyeongchang, South Korea, not far from the neighboring country of North Korea. In the past, politics have gotten involved in the Olympics, so the International Olympics Committee (IOC) is trying to not expect anything to happen from North Korea during the Winter Olympics.

Lots of visitors traveling to Pyeongchang own smartphones and electronics, but they don’t know how their devices can be easily hacked by cyber attackers who have the ability to steal the visitors’ private information. As a result of this, the Olympics have boosted their defense against hackers by using expert cybersecurity to make sure that the Games aren’t impacted like it was in the past at the Summer Olympics in Rio.

Furthermore, cyber attackers have been hacking into people’s social media accounts and posting links that contain malware for other people on social media to click on. These links could be stating that there are free tickets are being offered and those who are naive will fall for it. These kinds of links cannot be trusted on social media and especially in emails. Wireless networks are available throughout Pyeongchang for people to connect their electronic devices with, but these WiFi spots can be fake wireless access points created by cyber attackers to get personal information from people when they log in to use the fake WiFi. So it is recommended that visitors of the Winter Games to have antivirus software installed on electronic devices for protection and to possibly use a virtual private network so that they have connection without being detected or disturbed by cyber attackers.

Additionally, McAfee confirmed that a phishing campaign was made to target organizations associated with the Winter Olympics. Some of the South Koren organizations fell for it because they thought the campaign email was legitimate as it seemed. North Korea was suspected of launching the phishing campaign emails but stated that they weren’t the ones who launch those emails and have caused all the other attacks on the Olympics. The Olympics need a really strong cybersecurity defense because cyber attackers will keep attacking the Olympics to try to get ahold financial information, personal information, and any Olympics secrets.

Image result for winter olympics

Sources: http://money.cnn.com/2018/02/09/technology/pyeongchang-olympics-cyberattacks-south-korea/index.html

https://fortunedotcom.files.wordpress.com/2017/03/470381149.jpg

– Matt Aiguier

 

The Move to HTTPS (And Why Everyone Should be Doing It)

On the 8 of February, 2018, the Chromium Blog announced that with Chrome version 68, set for release in July of this year, will mark all websites which still use the unencrypted HTTP protocol as “not secure” websites as seen below:

not secure label on Chrome 68

This is a part of the Chromium development team and Google’s push—as well as many other groups such as Mozilla and even the US Government—to make the web more secure by making it more difficult for sites and companies to continue to process web traffic unencrypted. One might ask, however, why is this necessary? Why should web developers go through the effort to make all web pages go through the HTTPS protocol? Isn’t just using HTTPS on pages with “sensitive content” enough?

To start, when surfing the internet, even just for pleasure, one should consider everything he or she does to be “sensitive content”. Say for example, one is in a café using local, unencrypted Wi-Fi. An attacker can easily sniff the network for unencrypted web traffic and begin tracking all of the websites someone in the café visits. The attacker can learn about their behaviors, see any data exchanged over the internet like messages or emails, and begin to build a profile of their next potential target. When browsing the web unencrypted, everything from the names of the sites you visit, the cookies exchanged, and even passwords and credit card information. Even on an encrypted access network, one logged into the same network can still sniff and reveal the data shared by others also authenticated to the network.

Even if a web developer decides to use HTTPS to encrypt the exchange of passwords on login pages or credit cards on check-out pages, an attacker can still track your and the information exchanged when one is not on those encrypted pages. An attacker can also view the authentication cookies used to verify an active login session after passing the login page. Obtaining these can allow an attacker to begin a man-in-the-middle impersonation attack.

Even if a web developer claims they are exchanging no sensitive information and there is no reason to worry about someone catching wind of your visit to their website, implementing HTTPS is still a worthwhile option. With HTTPS becoming the new norm for surfing the web, using plain HTTP will make one’s website appear insecure, outdated, and untrustworthy. It also holds back the development and advancement of the web as the industry moves to better security practices.

There is nothing to lose and only things to be gained from migrating to HTTPS. With the Chrome and Firefox web browsers moving towards marking HTTP websites as insecure, it is in the best interest of all developers to move to HTTPS and all users to look for and opt-in to HTTPS websites at all times possible.

— Brendon Stowe
Student, R•I•T
Web & Mobile Computing


Sources:
https://blog.chromium.org/2018/02/a-secure-web-is-here-to-stay.html
https://https.cio.gov/everything/
https://mashable.com/2011/05/31/https-web-security/