Sunday, August 2, 2015

Justification for Your Paranoia

Heading to Black Hat and DEF CON at stupid-o-clock in the morning tomorrow, and trying to stay awake, so it seems like a perfect time to chatter about the latest round of crazy ways that your are insecure...hopefully I will return from this outing with even more things to share...


From the series Nests by Jakub Geltner.
1) Stealing Data with Radios...
In a paper scheduled to be presented at the 2015 Workshop on Cryptographic Hardware and Embedded Systems, researchers from Tel Aviv university (who previously showed that you could steal encryption keys by touch), demonstrate "the extraction of secret decryption keys from laptop computers, by non-intrusively measuring electromagnetic emanations for a few seconds from a distance of 50 cm."
The attack can be executed using cheap and readily-available equipment: a consumer-grade radio receiver or a Software Defined Radio USB dongle. The setup is compact, can operate untethered, and can be easily concealed (they use the example of hiding it inside a piece of pita-bread). Common laptops, and popular implementations of RSA and ElGamal encryptions, are vulnerable to this attack, including those that implement the decryption using modern exponentiation algorithms such as sliding-window, or even its side-channel resistant variant, fixed-window exponentiation.
Obviously the two big questions are "What information gets leaked?" and "Why does this work?"
As to the first, they claim that: "In almost all machines, it is possible to tell, with sub-millisecond precision, whether the computer is idle or performing operations. On many machines, it is moreover possible to distinguish different patterns of CPU operations and different programs. ... we can, on some machines: distinguish between the spectral signatures of different RSA secret keys (signing or decryption), and fully extract decryption keys, by measuring the laptop's electromagnetic emanations during decryption of a chosen ciphertext."
To the second they claim: "Different CPU operations have different power requirements. As different computations are performed during the decryption process, different electrical loads are placed on the voltage regulator that provides the processor with power. The regulator reacts to these varying loads, inadvertently producing electromagnetic radiation that propagates away from the laptop and can be picked up by a nearby observer."
So yeah, they don't even need access to the actual data on your machine to steal the keys to your kingdom, just the EM radiation given off by your CPU running hot, and a small, cheap, easily concealed radio receiver...


2) More on the "Right" to Encrypt...
In my previous post, I mentioned how the United Nations special rapportuer on human rights recently suggested that the encryption of data and communications should be considered a basic human right. This is, however, not a new or original idea. I recently stumbled upon an article from the Fall 1997 issue of the Virginia Journal of Law and Technolofy titled The Use of Encrypted, Coded and Secret Communications is an "Ancient Liberty" Protected by the United States Constitution (it's a law journal article, of course it has a long title). The article attempts:
"to demonstrate that, from the early years of the American Republic, Americans have enjoyed a robust, free, and frequent use of codes, ciphers, and other forms of secret communication. [and ...] that Americans have long used secret modes of communication for numerous purposes, including political dissent, preservation of personal privacy in intimate matters, commerce, and criminal enterprises.
Similarly to the UN's special rapporteur, the article makes its arguments largely from the 1st-Amendment freedom of expression angle, specifically focusing on historical precedent. An interesting (US-specific) argument that I've yet to see made centers on the fact that the U.S. government lists (and regulates) encryption as a form of munitions. So there is room yet for a 2nd-Amendment argument that the use of encryption by U.S. citizens falls under the right to bear arms (there is a paper I'd love to see).
The conclusion includes a nicely hopeful tone:
"The federal government has, for only two generations, enjoyed the ability to quickly override consumer use of cryptography through powerful decryption technology. The government's superior decryption capacity is threatened (or perhaps it has practically evaporated) when average citizens can and do encrypt their communications and their records using powerful encryption products..."
i.e. Encrypt all the things!


3) Old-School Data Security...
This one is a bit of an overlap between my two biggest interests: information security and medieval fantasy. A post has been circulating in both of these circles from Medieval Books, a blog about, of course, medieval manuscripts, specifically related to the measures taken to protect books from theft. Chains, Chests, and Curses covers just that, the three most popular means of prevention of data loss in the medieval age...
It is a wonderful read and I strongly recommend it.
It also got me thinking about modern security. The first two, chains and chests, have some very obvious modern strategy equivalents: preventing data exfiltration and preventing access respectively. The third might have a more interesting corollary. Could we make the data "cursed"? Embed malicious software in the data somehow, so that if it is stolen it will do horrible things to the thief's machine (but somehow not harm the machine originally hosting said data)?  

4) More cars...
To anyone who has paid attention to this blog in the past, the Fiat/Chrysler recall should come as not surprise. If your car is connected it can be hacked. In fact, this news is so un-news-worthy that this is all I'm going to say about it, nor will I bother with links, since the entirety of mainstream media has seen fit to lay out the details of something so easily forseen...
On the plus side, I may have finally thought of my brilliant entrepreneurial scheme...an auto-shop that disables or lays encryption over vehicular communication systems...