Preventing Cyber-Attacks. Adam Peterson

Transcription

1 Preventing Cyber-Attacks By Adam Peterson Carson High School AP Literature A1 Mr. Macy December 26, 2013

2 I. Introduction a. Attention Grabber: Statement about how insecure unencrypted data is (pathos). b. Thesis: In a world of ever increasing malevolent creativity, there is a greater need for the legal digital community to stay ahead of malicious hackers. II. Background a. Topic Sentence: With cyber-attacks growing ever more frequent, many people do not understand why so many systems seem vulnerable to infiltration. i. Encryption Theory ii. Why everything can be hacked 1. Infinite time and processing power 2. Insufficient resources III. Why Encryption is not done well. a. Topic Sentence: While these two flaws of encryption are always present, more often they are not the cause for systems to be infiltrated; the encryption process is often done poorly or skipped altogether, leading to major security risks. i. Outdated Programs/ non-aes ii. Time Consuming/Inconvenient 1. Inconvenient= processing power/ slows down iii. Costly IV. Common Hacks a. Topic Sentence: With computer technology and coding evolving at an ever increasing rate, a variety of ways to bypass these codes have emerged; however, a few hacks have been so successful they have remained through the changing technological climate. i. Battering Ram/Dictionary ii. SQL Database Injection iii. DOS/DDOS V. Staying ahead of the curve a. Topic Sentence: While the legal community of cryptographers comes out with new and more powerful programs every day, the hacking community continues to bypass these systems at an ever increasing rate. i. Ex: Target credit card scam ii. The need for cryptographers to stay ahead of the curve iii. My argument on how they have fallen behind. VI. Possible Solutions a. Topic Sentence: i. Government Assistance/Funding ii. Limiting Technological Rights (CISPA) VII. Conclusion a. Restate Thesis

3 b. Reiteration of Thoughts

4 Every day hundreds of thousands of computer transactions take place worldwide, accounting for billions of dollars in trade; the money and data being transferred is encrypted, but more and more often these codes are being broken. Hundreds of billions of dollars, as well as personal data, are at risk, especially if this trend continues. In the past, to secure an item, it was placed in a bank vault or safe, but in today s world, the most valuable things aren t bars of gold or paintings; they are strings of code on a computer. Cryptography is the art of writing or solving codes, and the demand for cryptographers to create secure codes to protect this data is continually growing in the digital world. However, the other side of cryptography has seen immense increase as well, with malicious hacking growing exponentially. In a world of ever increasing malevolent creativity, there is a greater need for the legal digital community to stay ahead of criminal hackers. With cyber-attacks growing ever more frequent, many people do not understand why so many systems seem vulnerable to infiltration. The answer is two-fold. The first lies in the way data is encrypted. When data is encrypted, it is mixed up and jumbled so that anyone who does not know the pattern of the code sees gibberish. Decrypting occurs when someone who knows the code can take the gibberish and translate it into intelligent words or code. The problem with protecting data in this manner is that it is based on an idea called encryption theory. Encryption theory assumes that when the data is encrypted, the result is completely random, or in other words, that maximum entropy is achieved. True randomness is a theoretical impossibility, as there will always be patterns and repetition in the code. If a hacker can discern patterns in the code, he can decode or decrypt whatever the message is. A study done by MIT showed that A codebreaker needs only one reliable correlation between the encrypted and unencrypted versions of a file in order to begin to deduce further correlations (Hardesty). The second reason systems

5 are infiltrated so often lies in a basic rule of encrypting. Any system, any encryption, any passcode, can be overridden given a sufficient amount of time and processing power. Cryptographers can make their codes very difficult to bypass, but an unbreakable code is an impossibility. An online article on code breaking stated In theory one can break any encryption algorithm by exhausting every key in a sequence. This brute force method requires vast amounts of computing power as length of the key increases ( Cracking Encryption Algorithms ). These two reasons together are the basis for the theory behind cracking systems. Given that true randomness is impossible, and that all systems can be bypassed with a brute force attack given enough time, encryption can continue to become more difficult to bypass but will never reach the level of absolute security. While these two flaws of encryption are always present, more often they are not the cause for systems to be infiltrated; the encryption process is often done poorly or skipped altogether, leading to major security risks. The larger issue with systems being infiltrated is that encryption is a costly, time-consuming process. When data is encrypted it takes up more memory space, leading to more servers for companies. In addition, the decryption and re-encryption process can take quite a long time, depending on the size of the file and the length of the encryption key. The biggest issue however, is the upfront cost. Symantec, an online technology company, gives a price quote of just under 5,000 dollars for fifty licenses of encryption software. ( Add peace of ). This means that if a company has hundreds of computers that need to be encrypted, the price range is going to be in the tens of thousands of dollars. In response to these issues, many companies choose to not encrypt their data to save a quick buck. Another cheap solution companies will apply is to use an older cipher or use non-aes encryption. AES (Advanced Encryption Standard) is encryption certified by the U.S. National Institute of Standards and

6 Technology to be secure. In other words, it is encryption that the federal government feels is sufficient enough to protect an individual s personal data. Non-AES encryption is much cheaper, but it is usually significantly weaker than encryption that has been certified by the national government. Another issue with system infiltration involves failure to update servers. Eric Dugger, Network Services Manager for Legislative Counsel Bureau, states that older systems are left online that are connected to newer systems. The connection allows for a Segway between the two systems (Dugger). The new servers could have the most secure encryption available, but if the old server is infiltrated, it is much easier to gain access to the new system by the already existing pathways between the two. Companies need to stop taking shortcuts when it comes to securing sensitive data. If confidential data is leaked, it will be much more costly to remedy the situation. In the current economic situation, corporations are looking to save money wherever they can, but data encryption is not the place to cut corners. With computer technology and coding evolving at an ever increasing rate, numerous ways to bypass encryption codes have emerged; a few hacks have even been so successful they have remained through the changing technological climate. The first one is a battering ram or dictionary-based attack. The simplest way to think of this is a login password on a computer. If the password was a word, someone could sit down and enter every word in the dictionary until they gained access. This would be an unproductive attack, as it would take several weeks to enter all the words in the dictionary; however it does not need to be done by hand. Dictionary attack programs exist that can input hundreds of words a second into the password form. This makes the time needed to bypass the login much shorter. This is why a password should never be a word, but should be as random as possible. Passwords become much more secure as they get longer and contain numbers, letters, special characters, and upper and lower case letters.

7 Another common hack is a SQL database injection. This involves inputting code into a database in order to get it to perform an action one does not have access to. An example would be in creating a website. If there were a form field (like a box where a status update is written in Facebook) instead of putting a status update, a hacker could input web code telling the website to perform an action. This could cause thousands of users personal data to be transferred to an unauthorized computer illegally, including things like credit card numbers. The solution to this problem is relatively simple. Filtering software can be used to reject specific symbols in a form field, so if an individual were to input specific coding text, the filter would tell the website to not execute the code put into the form field. Even though the solution is simple, it is commonly overlooked by web designers which can cause sensitive data to be leaked. To remedy this problem, all web designers who are coding sites with secure data need to know how to implement filtering software. Corporations need to ensure their sites are secure, especially if online transactions take place. Finally, the DOS attack is one of the most popular hacks and is also one of the most difficult to prevent. The Carnegie Mellon Software Engineering Institute described a DOS hack as an "attack characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include: attempts to flood a network, thereby preventing legitimate network traffic. ( Denial of Service ). This means that a hacker can create thousands of fake requests to a website that the hosting server must respond to. Given a sufficient amount of requests, the server becomes unable to handle all the prompts and crashes. This can be extremely costly if the data becomes corrupted or the servers overload to the point of permanent damage. In response to this, many companies have DOS filtering software, where if too many requests to the site are detected in a short period of time, the site ignores all requests to preserve data integrity. The problem with this patch is that

8 legitimate users are also blocked from reaching the site. So far, no one has discovered a reliable method for distinguishing between real users and fake requests to a site. The only method for dealing with this type of attack is to reject all requests and take the site down. The illegitimate requests can be back traced to the source where law enforcement can take care of the hacker. This is a lengthy and slow moving process that involves hours of back tracing (especially if the hacker is good at hiding his or her trail), requesting and receiving search warrants, and taking the attack offline. Even more problems arise when dealing with international governments. For example if a hacker in Brazil attacks a United States based website, the US government is powerless to do anything except notify the Brazilian government and hope they take action in a timely manner. A new system needs to be devised that can reliably distinguish between spoofed users and legitimate ones so that sites do not crash or do not need to be taken offline for extended periods of time. While the legal community of cryptographers comes out with new and more powerful programs every day, the hacking community continues to bypass these systems at an ever increasing rate. The only reason encryption has ever worked is because the ciphers created by legal cryptographers have been more effective than codes created by those who break the ciphers. The trend more often now is that systems are broken into, rather than remaining secure. Codes are being bypassed faster than they can be created, and it is causing a major problem in the business world. An example of this can be shown in the recent debacle with Target. An article from Daily Finance stated that Hackers who attacked Target and compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers. (Finkle and Henry). This attack is not the only one in recent months. More and more often headlines across the world are full of supposedly secure services being successfully

9 attacked. Cryptographers have fallen behind the curve; codes are being broken more rapidly than they are created, and the codes that are being created are not staying secure. Given the recent penetrations into secure servers, a change needs to take place to ensure that sensitive data remains secure. Since standard encryption agencies do not seem able to keep up with hackers, government agencies should step in. Government assistance in this field could come in a few different ways. The first is by funding encryption agencies to help them recruit more software engineers or afford more servers for the creation of their product. The government could also assist by creating their own encryption software to be used at a lower price to help data remain secure. The final option would be to give the government more power to monitor and prosecute illegal technological activity. The Cyber Intelligence Sharing and Protection Act (CISPA) is a bill that originated in the House of Representatives in Since then, it has been passed through the House but was voted down by the Senate. President Obama stated that even if the bill passes both houses, he will veto it. CISPA is therefore extremely unlikely to pass; however, it would give the government power to monitor large amounts of online activity and take action accordingly. The description on the bill reads, An Act to provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes. (United States Cong.). This act would allow the government to have additional power similar to that of the NSA Prism surveillance program that has been so unpopular in recent months. While this option is unlikely, it would assist in the federal government s tracking of illegal activity to stop hackers and help prevent cyber-attacks across the nation. The bill should be passed because even though it limits some individual freedoms, it helps protect not only companies and corporations, but individuals private security as well.

10 The creating of encryption algorithms and ciphers is a multi-million dollar industry around the world; however, even with these resources, the legal digital world is falling behind malicious hackers who continue to bypass systems at an alarming rate. A change needs to be brought about so that debacles like the Target credit card theft will stop occurring so frequently. The encryption companies need to step up and create new, more secure codes, and if these companies are not able to do so, the federal government needs to step in. The first duty of any legitimate government is the protection of its citizens, not only in the physical world but in the digital one as well. Cryptographers have been behind the curve for too long and new ciphers need to be created to safely encrypt data. In this modern world, we need to better protect electronic bank vaults to keep the most valuable things we have safe.

11 Works Cited "Add peace of mind to your business plan." Symantec. Web. 27 December "Cracking Encryption Algorithms." n.d. mycrypto. Web. 26 December "Denail of Service Attacks." 4 June CERT December Dugger, Eric. Legislative Counsel Bureau Network Services Manager Adam Peterson. 2 January Personal Interview. Hardesty, Larry. "Encryption is less secure than we thought." 13 April MIT News. Web. 26 December Henry, David and Jim Finkle. "Target Hackers Stole Encrypted Credit Card Codes." 25 December Daily Finance December 2013.