Insights For Success

Strategy, Innovation, Leadership and Security

Encryption

The start of the end for Symantec cert trust on Google's Chrome

GeneralEdward KiledjianComment
insecurity-440229_1920.png

A little history

Early 2017, a security researcher (Andrew Ayer from SSLMate) discovered that three certificate authorities (Symantec Trust Network, GeoTrust Inc., and Thawte Inc), owned by Symantec, had improperly issued 108 TLS certificates. It is important to understand that these improperly issued certificates would allow a threat actor to spoof or impersonate a website that was using HTTPS.

9 of these certificates were issued without the knowledge of the domain owners. 99 were issued without proper validation of domain ownership. 

This improper issuance of certificates directly contravenes the strict (prescriptive) guidelines of the CA/Browser Forum and raised the ire of internet giants like Google, Mozilla, and Microsoft. 

These guidelines and controls underpin the entire trust model of the encrypted internet.

There is no way to verify if these certificates were ever used in the wild but we also cannot verify that they were not used. 

You can see the list of certificates here

Chrome to distrust Symantec TLS Certs

https://bugs.chromium.org/p/chromium/issues/detail?id=796230

https://bugs.chromium.org/p/chromium/issues/detail?id=796230

Very quickly after this second incident was made public, the developers of the Chromium project announced their intention to distrust all Symantec issued TLS certificates. Since Chromium powers Google Chrome, the most popular browser in the world, this was a punishment for Symantec's mismanagement. So started the two-year roadmap to achieve this goal. 

You can read the blog article on the Google Security blog entitled "Chrome’s Plan to Distrust Symantec Certificates".

As you can see above, the process is broken down into 3 distinct phases:

  1. Certificates issued after December 1, 2017, from Symantec's legacy infrastructure will not be trusted
  2. Certificates issued before June 1, 2016, from Symantec's legacy infrastructure will not be trusted
  3. All certificates issued from Symantec's legacy infrastructure will not be trusted.

The first phase is rolling out with Chrome beta version 66 on March 15, 2018. Domain admins still using Symantec certs issued before June 1, 2016, are encouraged to replace them ASAP. 

The full roadmap will come to fruition with Google Chrome beta 70 (due October 16, 2018). 

Capture2.PNG

In an October 2017 Symantec security blog entry, we learned that Digicert will takeover certificate updated as of December 1, 2017. 

Review of encrypted email provider Protonmail

GeneralEdward Kiledjian1 Comment

Why would anyone use Protonmail instead of Gmail or Hotmail? SECURITY

Email is inherently insecure and if you are a political dissident whose online communications can mean the difference between living and dying, don't use email. For everyone else looking for an easy and secure email solution, keep reading about Protonmail.

Everyone needs to understand that SMTP was not designed to be secure and will always have security weaknesses.

We use email because we don't have a choice and everyone agrees it won't be displaced tomorrow.

The other major issue faced by secre service providers is ease of use. PGP is a good example of strong unbreakable email encryption that never became mainstream because it was simply too complicated for the mortal man. 

Absolute security is unpractical and will never gain widespread adoption so good security should be the goal for most services.

There is always a tradeoff between usability and security, The difficulty is finding the right balance.

So what does Protonmail offer?

The bright scientists behind Protonmail understand fine balance they must find between usability and security. Make the product too secure and no one will use it (aka bankruptcy) or make it extremely user friendly but not secure (become a me too email provider). 

They have chosen to implement good enough security which makes encryption generally accessible to the masses while protecting against unauthorized government seizure or mass surveillance.

What are the weaknesses of Protonmail?

Read my blog post about the Vault7 leaks (here) and you will realize that when government is stifled  by strong encryption (Whatsapp, Signal, etc), they compromise the endpoint and extract the information pre/post-encryption. 

Protonmail does not protect you if your endpoint is compromised. It would be unreasonable to assume any secure online service could protect you from this type of attack. if you want maximum endpoint security, learn about real security protocols and use a secure operating system like Qubes OS.

Nation state level man in the middle attack. Protonmail implements all of the controls to prevent a common man in the middle type of attack but a nation state actor with the ability to redirect your web traffic and generate real "fake" TLS certificates could theoretically intercept your traffic, ask you for your username/password then use those to access your account and decryption keys. Let's be clear that your garden variety hackers (even those that are extremely skilled) won't be able to pull this off. This would require skills, money and huge technical capabilities to reroute internet traffic and generate encryption certificates.

Intelligence break in. With all the talk about government backdoors, the third major weakness of Protonmail (and all other secure services products you did not write) is the fear that a nation-state actor would somehow infiltrate Protonmail and then implement "special" code that sends bad encryption code to the users thus allowing the threat actor to access unempted versions of the messages. Protonmail has stated that they have multiple controls in place to protect against this type of attack. They scan servers for unauthorized code changes.

Some nice features of Protonmail

Protonmail is a Swiss company based in Switzerland. Any government request for information would have to be done there using Swiss law, which is very protective of private information (USA cannot issue a National Security Letter to force the company to turn over information and hide the request from the user).

In the rare situation that a government were to spend the money and convince the Swiss court to compel Protonmail to turn over user information... Protonmail uses "Zero Access Cryptography" which means they do not hold the encryption keys and therefore can only turn over encrypted information. 

Protonmail supports (and you should use) 2-factor account authentication. This means that in addition to something you know (your username and password), you need something you have (a time based authentication code generated by an authentication app Google Authenticator or Authy.)

If you want to send something more secure than normal email to a non-Protonmail user, you can create a Protonmail hosted message that requires a password to open (obviously don't send the password using email) and can even have a fixed expiry date. 

Creating a password for the secure "hosted" email

Creating a password for the secure "hosted" email

Setting an expiry time for the message

Setting an expiry time for the message

Protonmail stores user based encrypted authentication logs. This means you can see when your account was logged into and from which IP address. You can turn this off it you don't want this captured. Protonmail does not capture or log your IP anywhere else.

 

The ProtonMail service has internal authentication logs. When I say internal, I mean that these details are available only to the account owner, and are recorded and encrypted with all the other data inside the account. As I mentioned earlier, Proton Technologies AG doesn’t log IP addresses, but this information can be logged inside your web client session. If you don’t need them, just wipe the logs and switch to basic mode which doesn’t record info on the IP addresses you logged in from.

Basic stores login dates / times only. Advanced also stores the IP Address from where you logged in. The choice is yours. You can always download this information or secure erase it.

No user profiling. When you use a free service, the provider is conducting deep analysis and creating a deep analysis about you. Protonmail doesn't do this since everything is encrypted.

They encrypt all non Protonmail emails received immediately upon ingestion. 

Emails that come from third party email providers obviously cannot be delivered with end-to-end encryption, but upon reaching our mail servers, we will encrypt them with the recipient’s public key before saving the messages. All this is done in memory so that by the time anything is permanently stored to disk, the email is already unreadable to us.

This is good for security but limits what they can do for SPAM control. In a blog post, they explain what they do to help fight SPAM:

  1. They check the IP address of the incoming SMTP server against known blacklists
  2. They pass all messages through their own Bayesian filter marking suspicious emails as SPAM
  3. They generate a checksum for each email message and verify this checksum against known SPAM messages
  4. They verify the authenticity of the email using standard protocols (SPF, DKIM and DMARC)

Sending secure emails to non Protonmail users

I alluded to this earlier but wanted to restate it here in it's own section since I would otherwise receive a dozen emails asking this question. 

Can secure emails be sent from Protonmail to non-Protonmail uers (Gmail, Hotmail, Outlook, etc)?

When sending emails to non-Protonmail users, you can:

  1. Send an un-encrypted standard email. This is what every other email provider does.
  2. You can use the lock icon in the compose window which asks for a password (See screenshot earlier in this post). In the case this is set, the recipient will receive a message with a link to a Protonmail web interface and he/she can use to  enter the provided message password and see the email. 
Notification non-Protonmail user receives

Notification non-Protonmail user receives

Password requested by non-Protonmail user.

Password requested by non-Protonmail user.

Free versus paid

Protonmail offers a free basic tier and I recommend everyone start with this level. If it meets your needs, you should consider upgrading to a paid tier which offers custom domains and more storage. 

Conclusion

I love Protonmail and am moving my private (not public) email address there. I like the security it provides and the open philosophy they espouse. I say use them if you want something more secure and private.

You may also want to read my article about SpiderOak. SpiderOak is a Google Drive, Microsoft OneDrive or Dropbox alternative with strong trust no one encryption.

Encryption isn't just for terrorists

GeneralEdward KiledjianComment
lock4644654654.jpg

It seems every time there is a terrorist attack, governments around the world use it as an opportunity to chip away at encryption. The latest attack was the UK Home secretary, Amber Rudd, who called WhatsApp's end-to-end encryption "completely unacceptable". She then adds that there should be “no hiding place for terrorists”.

Encryption is publicly known mathematics and there is no way to put the "cat back in the bag". If encryption is banned for law abiding Joe and Jane public, it makes everyone less safe but terrorists will simply use their resources and public encryption libraries to write their own encrypted programs and do their evil work. 

Minister Rudd's comments are the clearly from someone that doesn't understand the technology and how it is the fundamental underpinning of our entire technological society. Anytime you perform online banking, file your taxes with the government online or request a government service, you are using an encrypted channel of communication called TLS. It is the technology that makes using sensitive services on the internet possible. 

Banning encryption would mean no more online shopping, banking or anything else that requires privacy. So banning would not be accepted by our always online generation.

Government would counter this argument by saying they "simply" want a back door and not a ban on encryption. A backdoor would allow intelligence and police to more easily perform investigations while keeping general encryption alive. 

As a security professional, let me be clear that this is simply not possible. The minute a backdoor is implemented, it becomes a vulnerability that threat actors would attempt to find and exploit (organized crime, nation-state actors, foreign rogue governments, etc).If the Snowden and Vault7 leaks have shown us anything, it is that even government has issues keeping secrets. The reason encryption works is that it is based on mathematics and remains perfectly secure even though all the protocols, formula and applications are well know. 

Creating a backdoor for the good guys means you are also creating it for the bad guys. 

The Vault7 leak showed that governments have already solved the Whatsapp encryption issue by hacking the end device. When hacked, government can see pre/post encryption messages and therefore they are able to get the information they need. Yes it requires more work but every job has its challenges. This would bypass the encryption of Signal, Whatsapp or any other encrypted communicator.

Terrorism is a bad thing that affects as all. It is the worst of humanity being manifested because of hatred and misunderstanding of one another. Politicians are targeting encryption because it is the easy target but it isn't the right one.

As a geeky security professional, I will always be able to protect myself by rolling my own encryption, but the general population won't. Considering everything about us can now easily be stolen from our smartphone, I'm worried about any weakening of encryption. Just think about everything stored on your device (location history, contacts, social networks, where you have been and what you have done, health information, etc) and how you would feel if someone had access to all of it without your knowledge. 

We need technically knowledgeable politicians that will fight the good fight (against terrorism) without trying to neuter good wholesome public protecting technologies. It's like saying we will ban pools because there were 3,536 fatal non-boat related drownings in 2015 (there are over 8M pools public and private in the USA). We can't let a small batch of rotten apples contaminate the entire batch of cider.

Companies buying bitcoin to prepare for cyber extortion

GeneralEdward KiledjianComment

In an uncertain world where kidnapping for ransom is an all too common occurrence, many hostage negotiators use the no-concession policy. They justify this position by explaining that paying a ransom makes it more likely that the perpetrators will try it again and often times the ransom is used to fund illegal or terrorist organizations.

Although I have seen very little empirical evidence to prove that this no-concesion approach is more desirable than paying the ransom, this mentality was brought into the digital age when cyber-ransoms, cyber-extortions and crypto-malware became prevalent. 

More and more companies though have started to take a different approach and are now prepared to pay ransom in exchange for saving their networks, devices and information. To meet these demands quickly, some companies have started to store bitcoin as a risk mitigation strategy.

Why this change of heart? Many of the most popular well written malware was actually designed to ensure victims could recover their data when the ransom was paid. This attention to detail and solid customer service by the bad guys, means victims are now relatively certain that they will be saved if they pay the ransom. 

Sure paying the ransom means funding organized crime and will likely fuel the next wave of crypto-malware but companies have a duty to protect their organization (rather than take the moral high ground).

This change in mindset is so pronounced that traditional physical K&R (kidnap & ransom) negotiation experts have started to test the cyber-extortion and cyber-ransomware negotiation space. 

True verifiable numbers are hard to find but firms like Recorded Future ( a cyber intelligence company) has stated that it believes the cyber-ransom market has now reached the 1B$ mark. Kaspersky says a company is cyber-attacked every 40 seconds.

Obviously crypto-malware can be counter-acted by proper, regular offline backups but many companies don't start a robust recovery program until it's too late. They either pay the ransom or lose their data. Its that plain and simple.

Right now the advantage is with the attacker. Corporate information security groups have to bat 100% to keep the company safe. This is expensive, time consuming and not always achievable. The attacker just need to infect 1 machine on the network and then can propagate and move laterally from there. 

Companies have started to jump on the Ransomware protection bandwagon. An EDR &"next-generation AV" company called Cybereason offers a free product called RansomFree. They claim it protects against 99% of ransomware by monitoring how applications interact with files on your computer. Did I mention RansomFree is free? I haven't used their product and thus can't recommend it but it does seem to be useful and could really help the average consumer ensure they don't end up getting victimized.

It is clear that this malware is written by extremely skilled and determined threat actors. This isn't code written in somebody's basement but rather a professional extortion company with developers, quality assurance and even customer support to ensure a paying customer is taken care of. 

So the question is will your company prepare by buying and storing bitcoin? If you will, how much should you store? that is the new question.

Is WhatsApp security Good and trustworthy?

GeneralEdward KiledjianComment

Quietly and with little fanfare, Whatsapp released an update to all of its products enabling end-to-end encryption for its 1B+ end users. Funny enough, most users aren't aware that their Instant Messaging tool of choice is now powered by the worlds most secure end-to-end encryption protocol : Signal. 

Can I consider WhatsApp secure?

A couple of weeks ago, OpenWhisper systems announced that its Signal secure protocol has been imbedded into Facebook's WhatsApp instant messaging application. The question I receive daily is "should I consider my Whatsapp communications protected now?"

Before signal there was OTR

Before using the Signal protocol, it looks like the WhatsApp team evaluated the OTR (off the record protocol). OTR provides encrypted point to Point communication but it requires a real time collaboration of the users (aka both have to be online to secure the transmission) which isn't practical for WhatsApp. So they went fishing for something else and stumbled upon Signal.

The Signal difference

Signal actually created an encryption model using the text messaging approach, where messaging is encrypted but it is asynchronous (both parties don't need to be online simultaneously for it to work).

Although text messaging is simple, the complexity of the encryption is model is high.

The protocol was called axolotl. The salamander it is named for has self healing capabilities and the axolotl protocol also has self healing properties.

To simplify it for mass consumption, the procotol was renamed the Signal protocol and now has open source libraries. Cryptogrsphers have been able to build fully function encryption programs comptible with the consummer Signal apps.

Now powering Whatsapp

The integration is now complete in the latest version of Whatsapp on all platforms.

Users running these versions now get full end to end encryption for every message they send and every Whatsapp call they make. All the benefits of the signal protocol are now built in.

We have confidentiality which means the communication is encrypted.

We have integrity which means message alterations will be detected and fail the verification transaction.

Authentication is possible (which is good) but you need to take extra steps to do so. Keep reading.

Participant consistency is also important but defaults to off (has to be enabled manually).

They also claim to have destination validation, which requires the above 2 to work, so technically it is available and built in.

They have forward secrecy which means a future compromise of a private key will not allow the decryption of past messages.

They have backward secrecy, which means a past compromise of a private key will not compromise future protected communications. Keys are constantly being changed and re-negotiated.

They have message unlinkability, which means messages are independent, asynchronous, can arrive independently or be missing, without affecting the fucntioning or efficiency of the entire system.

Message repudiation is also there, which means the sender can deny sending a message. This works because the receiver can forge a message that looks like it came from the other party. Which means none of the participants can claim (to a 3rd party) that a message originated from the other party with verifiability. All that can be claimed is that the sender or the recipient sent the messages. To most this seems bad but in the world of security, this is a good think.

Simple but complex

We all know Whatsapp is a simple to use product but the actual encryption is very complicated and therefore beyond the scope of this post.

As an example, they create static Diffie Hellman encryption keys. Then they create a set of ephemeral keys. Then they use a triple Diffie Hellman protocol to exchange their ephemeral keys and they use a Diffie Hellman key agreement 3 times to take their private key and the other person's ephemeral public key and create a key agreement.

The other user takes his private key and the other persons Diffie Hellman public key to create a second agreement. Then they take the ephemeral keys and use that with Diffie Hellman to get a third set of keys and they concatenate all of these together to create a master session key.

The ratchet

In an interactive protocol a ratchet is where you evolve a key that you agree upon as you send messages back and forth. You ratchet the key forward.

The problem is that this requires real time communications. The innovation here is that they developed an offline ratchet using a hash. Each time both parties are online at the same time, an online ratchet is performed and resynchronize the offline ratchet hash.

First sessions establishment

In real time communications you can create a shared key in realtime. But how do you do this is an asynchronous model with someone you have never messaged before?

To solve for this issue, when you register your Whatsapp client with the server, your client pre seeds the server with 100 ephemeral public keys and assigns an ID to each. This means someone wanting to send you a message for a new communication stream, picks up one of those keys in order to bootstrap a secure message.

They use this public key and place it back on the server until you are online. When you come online, that blob is sent back to you. Your client will never allow the re-use of that public key (by removing it from the pending ephemeral key list). This one time use prevents certain types of attacks.

Perfect encryption

Knowing that Moxie (from OpenWhisper systems) worked on it and reading all the documentation, it looks like they implemented a perfectly designed asynchronous encrypted messaging system.

The one caveat & other thing

The one major exception is that you cannot be sure who you are talking to (authentication).

Threema, my favourite truly perfect encrypted and private messaging system, solves this by only guaranteeing authentication when you physically scan the QR code of the other participant's public key.

To solve this, Whatsapp provide a (per communication thread) QR code or 60 decimal digit user verification code. This code contains both parties encryption keys.

So the problem is you need to perform this verification at least once per conversation thread. This guarantees there is no middleman. Where you can't visually exchange codes, you can read the 60 digit code to each other. If the codes are different, it means there is a man in the middle.

For some reason if the codes change, you are not automatically notified. But under account security, you can enable this notification.

Go to Settings, then Account, then Security, and ensble the switch

Everyone needs to turn this on (participant consistency). The only time a code should should change during a conversation is if the other party installs the app on a new device (or a reset device), in which case you will already likely know and can disregard the alert.

I also want to remind readers that although the messages themselves are encrypted, there is still metadata. There is no technological way to communicate without leaving a trail of metadata today. Metadata is data about your data : such as who you communicate with, how often and how much data you exchange with each other.

Whatsapp is not open source

Many security researchers dislike closed source security applications because there is no way to independently validate the implantation (aka. Know for sure that no one has implemented a back-door or injected malicious code.)

Technology is only as good as its implementation and although the encryption math is perfect, applications rarely are. At some point we have to put our crazy hats down and trust that companies are tying to do the right thing for their users.

Conclusion

Facebook has done a very good job and with the flip of a switch, they have gifted 1B people with easy to use and powerful encryption. I still love Threema because it has better authentication but the truth is none of my contacts use it.

I am excited that more people will be brought into the wonderful world of encryption and have their discussions protected.