A Quick Introduction to Cryptography

As a mathematician, I’ve always enjoyed encryption, and have followed it since my days at Digital where, of necessity, many corporate consulting engineers became experts in security. (The Morris worm didn’t hit Digital’s Ultrix but was shocking none-the-less. Mitnick’s theft of the source code for Digital’s flagship operating system VMS was, to say the least, embarrassing.)

My Ph.D. thesis generalized a classification of singular elliptic curves, and thus using the group structure on an elliptic curve for encryption deeply fascinated me.

There are quite a few very nice online courses, books, and papers on encryption. Search YouTube and Google for them. There are two issues to watch out for with older material. One is that someone may have recently cracked an encryption scheme, and the other issue is that more and more powerful computers enable brute force attacks that can break older encryption schemes.

Out of my private notes and many past talks I’ve put together and updated a few of my slides for an easy one hour introduction to cryptography for the working engineer. These slides are Quick Cryptography Introduction, and they list some of my favorite cryptography references.

Of course, to keep the presentation even close to an hour, many interesting and important topics were either given a cursory mention, or omitted entirely. In fact, I culled out more slides than I left in. There are, however, a couple “P.T. Barnum” slides that list such omitted topics and hint at future talks.

The very last slide of the presentation points out something both obvious and deep: Encryption is only a tiny part of security. While all working engineers should know the basics of cryptography (the contents of the presentation is a start), we should also realize, for example, that the people aspects of security dominate almost all security breaches. Weak passwords, poor software maintenance, lack of employee education on social engineering, etc. are still rampant. On the technology side, much software is simply poorly designed from a security perspective. We’ve a long ways to go in security, but learning a little cryptography is a good prerequisite.

BlackEnergy

The BlackEnergy toolkit seems to have been deployed as early as 2007 when publicly analyzed by Arbor Networks. It was a DDoS attack using just HTTP and PHP. It evolved in 2008 into a rootkit, BlackEnergy2, which was, according to secureworks.com, whose paper gives a complete analysis, similar enough to the existing rootkit Rustock to sometimes be detected as such. BlackEnergy2 had a banking plugin designed to steal banking credentials from infected users. It could then corrupt the disk, making it non-bootable, and then shut down the system (presumably so that the owner could not check the compromised bank account.) The 2014 evolution, described by ESET and also by F-Secure, was used in various industries of the Ukraine and Poland.

BlackEnergy3 is another variant, used by actors identified as the Quedagh gang (possibly Russian government sponsored), which F-Secure reports as being used to target political organizations with crimeware.

BlackEnergy3 is similar to the BlackEnergy used to infect various industrial control systems. Infected programs include GE’s Cimplicity, Siemens’ WinCC, and Advantech/Broadwin’s WebAccess. There are also some similarities to the malware Sandworm, which was used in a 2013 Russian cyberattack against NATO, the European Union, overseas telecommunications, and energy sectors. These various links and similarities give rise to speculation of a larger, government sponsored, program.

This all bothered DHS enough to issue, on October 29, 2014, a threat alert. Sadly, this has been reported as business as usual for the nation’s two regulated (nuclear and power grid) industries. It is not clear to me that the threat alert was a good idea; it’s a little like crying “wolf” when there’s no wolf … yet….

Havex aka Dragonfly

Havex, aka Dragonfly, is a Remote Access Trojan (RAT) that surfaced as early as September 2013 and appears to be related to the attack group Energetic Bear, whose activities were seen in August 2012 in the energy sector. Havex’s early targets appear to be European companies and educational institutions. These targets are not directly ICS vendors, and the relation to ICS is unclear, but ICS-CERT, F-Secure, Symantec, Kaspersky, and others are tracking such attacks. At the moment, Havex appears only to retrieve structural intelligence about its targets, possibly in advance of future attacks. Havex uses compromised web sites (samples here) to induce users to download software that is infected with Havex (a watering hole attack).

Havex has dozens of variants and uses multiple methods for penetration: phishing, watering hole, etc., and F-Secure has already identified many (146 so far) command and control servers for these variants.

The total number of variants, attack vectors, C&C servers, and years in service is scary. A great deal of data has been collected across multiple industries. It feels to me like a nation-state preparing for cyberattacks (plural).

Keyloggers as Trojan Horses

Read this Register article for starters.

A $10 giveaway at, say, conferences, could be an effective Trojan Horse.  Samy Kamkar (@samykamkar) has released schematics for a key logger built on the open source Ardunio hobby board.  I don’t quite see how to get the cost down to the claimed $10 without a lot of volume, since the Ardunio board retails for $25.  Perhaps the NSA has some better secret manufacturing plans with more nefarious delivery ideas.

Samy of course hopes that Microsoft and other keyboard manufactures will address such a security hole.

2015

Every few years I put together a talk about technology expected to develop or become prominent in the New Year. As I contemplated such a talk for 2015, my thoughts were stuck on cyber-security. While 2014 Silicon Valley IPOs in storage and in health-care are astounding, my thoughts are still on the vast discrepancy between the sophistication of malware attacks and the woeful inadequacy of corporate defenses. Various estimates of cyber-theft losses run into the hundreds of billions of dollars. These losses are hard to quantify. Even a kiddie virus that “only” disrupts a local network can cost millions of dollars in repairs and lost revenue. Never quantified by the courts, how do you put a numerical value on opportunity cost? How does one value the careers of the Target CEO and CIO who lost their jobs? Imagine the settlement if these two people alone could sue the perpetrators of the November 2013 Target breach in US court!

It is disheartening to contemplate that both the November 2013 Target breach and the recent Sony breach were preceded by successful, but smaller, earlier breaches. They of course were also preceded by other breaches into other companies. Will 2015 be the year that people wake up? Yes and no.

Let’s first consider the retail industry. We’ve had breaches at Target, Home Depot, Neiman Marcus, Sally Beauty, Kmart, Dairy Queen, Michaels Stores, P.G. Chang’s, Heartland Payment Systems, Goodwill, Supervalu, Staples, Jimmy John’s, Bebe Stores, Sheplers (western wear), Chick-Fil-A, OneStopParking (Krebs claims same attackers as Target’s), and probably many others in the retail industry that I haven’t studied. If this isn’t enough to motivate CEOs of retail companies, consider the very public breaches outside retail: Google (exposed Chinese Gmail accounts), Epsilon, Sony (Playstation), Sony Entertainment (Movies), US Dept of Veterans in 2009, Global Payments 2014, AOL, eBay, JPMorgan Chase, Adobe, United Parcel Service (UPS) Stores, Sands, etc.

No longer can the CEO of even a modestly large retail outlet assume it will be the “other guy” whose credit card database gets attacked. The board room topic of how much to increase the IT budget to address security will come up. The answer will be something like 10%. This is so wrong for many reasons. What most IT departments need is a total cultural change: new people, new expertise, new software, new security products, new processes, and new influence that will affect the entire company. This doesn’t even count the pain that Microsoft is forcing companies to suffer by shutting down support for older Windows products, notably XT and Server 2003. My guess is that the correct board room answer should be 100-200% (and even higher in capital costs for things like pin and chip support) and not a paltry increase such as 10%. If those triple digit percentage increases are even floated, they will get shouted down as not affordable.

Affordability here isn’t a technology topic, it is a topic for the Harvard Business Review: Restructuring the Retail Industry. I’ve seen hints of this. Authors scratch the surface on topics like “Who Pays?” for a breach? “How much should one spend of security?” where authors look at the probability and severity of a loss for a retail company and come up with some low recommendation. Bruce Schneier has in 2014 given a couple insightful talks which I cynically interpret as saying “Look, for all the reasons that I’ve just explained to you, you’re going to get hacked, so put your money on Incident Response. Namely, invest in recovering from the inevitable attack.” Bruce’s company Co3 Systems sells incident response products and services. To be fair, Bruce doesn’t say not to invest in malware defense, but rather, don’t fail to invest in incident response.

My first 2015 predictions: Large retail companies will not restructure, but they will wrestle with this affordability problem. Security product and consulting companies will do very well as a result. Incident response companies should also do well. Malware defense products will improve; however, retail companies will continue to be hacked. The attacks will escalate and increase in sophistication. Damage will continue to rise. The recent Sony Entertainment attack shows that retail won’t be the only target (no pun intended.)

OK, what really scares me? It isn’t retail! If we admonish retail and related companies for ignoring early warning signs of malware attacks, aren’t we blissfully ignorant of the warning signs for infrastructure attacks? We are. In fact, most of the cyber-security articles that I read also ignore this.

My second 2015 predictions: The United States will suffer a cyber-attack on some infrastructure site in 2015. The technology of Stuxnet and its predecessors and follow-ons Duqu, Flame, Gauss, Wiper, Mahdi, Shamoon, sKyWIper, Miniduke, Teamspy, etc. provide a roadmap for even the smallest nation-states to follow for such infrastructure attacks. In fact, if you take Ralph Langner’s excellent paper “Stuxnet’s Evil Twin” and substitute “centrifuge” for your favorite industrial mechanism, the result isn’t a bad outline for how to proceed with such an attack. An actual attack, say of our electrical grid, would have to modify multiple SCADA systems and multiple flow control and transmission devices. Lot’s of code needs to be modified from the Stuxnet code, but a small nation state could do it. (North Korea is reported to have 1800 skilled software engineers engaging in cyber-espionage. Such a large team and their contractors could do it.) Perhaps a smaller team of educated terrorists could carry out a more focused attack, say of a single industrial site.

We are not without early warnings beyond Stuxnet itself. SiliconANGLE’s May 2014 article on Iran and Syria attempted attacks on US Energy firms is such a warning. Certainly the attacks on Iran’s and Saudi Arabia’s oil infrastructure are warnings. A gcn article on an attack on Iran is here. A cnet article on a Quatari LNG attack and a Saudi Aramco oil company attack is here. This cnet article outlines multiple variants of the malware potentially used in these attacks. The February 2014 RSA Conference had multiple, more technical, talks on this topic. I expect even more for the 2015 conferences in the US and in Asia Pacific & Japan.

What totally surprises and scares me is that the U.S. has not yet had a serious infrastructure cyber-attack, while mid-eastern countries have had such attacks. Advancing past Stuxnet, the attack software is becoming more sophisticated and powerful. The U.S. is due…