Embed Size (px)
Citation preview
Security of First World and
Espionage
Rafael Fontes Souza
2
THE PURPOSE OF THIS
PRESENTATION IS TO DEMONSTRATE
HOW BEST TO TACKLE CYBER ISSUES.
IMPLEMENT A NEW METHOD OF
UNBREAKABLE ENCRYPTION, OTP IN
LARGE-SCALE, INTEGRATING
HARDWARE-SOFTWARE.
3
ABSTRACT
Everyone knows that encryption is an essential part of modern times, among the main aims and objectives of encryption are some functions such as protecting the financial networks that interconnect the banks in the world, it keeps phone calls from being listened, also keeps records confidential, its used to protect sensitive information for military officers, doctors, lawyers and to protect credit card and financial transactions.
4
CONCEPTS
Encryption algorithms also depend on so called "trapdoor functions", math codes that are theoretically easy to do but very difficult to revert. A common method is based on the difficulty of finding the prime factors of large numbers, but many security researchers were developing new codes based on a different and innovative math involving elliptic curves, but what if some entity or someone with great skill can pick these constants to make the codes vulnerable in order to decode the result?! this could be a global threat.
5
SECURE CLOUD 2014
INTRODUCTION
Most encryption systems use pseudo-random number generators as part of a complex mathematical code to create virtually unbreakable sequences where generated numbers can be predicted, this would make the code vulnerable to attack with sufficient processing power and a certain amount of time.
7
UNDERSTANDING THE PROBLEM
According to documents revealed by Edward Snowden (systems administrator at ex-CIA, ex-NSA, who now lives in Russia and was considered a spy) the National Security Agency is three steps ahead in a secret cyber war, using in their favor supercomputers and unknown techniques to crack encrypted data. Court orders, persuasion and agreements with major companies in order to corrupt the main tools that protect the privacy of Internet communications.
8
CONTEXT
Supposedly the NSA can break the codes that allow private communication over the internet and also sabotage them. The strategy includes undermining the supposed official standard organizations and major IT companies with bribes, the goal would be to insert "backdoors“. The New York Times mentions a document "GCHQ" which says that the NSA has large amounts of encrypted data that used to be discarded and are now exploitable, and that there was an aggressive effort toward breaking encryption technologies considered safe.
9
Cyber Secure Pakistan - 2014
Speculations on Projects NSA
Recent ultra-secret documents reveal that the National Security Agency is increasing its ability to invade secretly computers on a mass scale, using automated systems that reduce the level of human supervision in the process. This type of intelligence is a sophisticated way of espionage and a threat to data and information.
11
Malware around the world
TURBINE PROJECT
UNITEDRAKE
CAPTIVATEDAUDIENCE
GUMFISH
FOGGYBOTTOM
GROK
SALVAGERABBIT
12
VISION OF SURVEILLANCE
Every click, every button, every data packet, send and receive messages across the world is always sent from servers that control Internet packages online data are intercepted. Metadata is collected and monitored traffic, this interface is even bigger than "PRISM" , “MUSCULAR”, "XKEYSCORE" and "TEMPORA".
Therefore it is of utmost importance to use cryptography.
13
VISION OF SURVEILLANCE
Every click, every button, every data packet, send and receive messages across the world is always sent from servers that control Internet packages online data are intercepted. Metadata is collected and monitored traffic, this interface is even bigger than "PRISM" , “MUSCULAR”, "XKEYSCORE" and "TEMPORA".
Therefore it is of utmost importance to use cryptography.
14
GLOBAL CYBER WAR
PentestMagazine: What are the biggest challenges that the field of information security is suffering from?
Rafael: It is known that a lot of espionage occurs by some governments and also by competitors, they should remember that privacy is important, encryption is a positive and honest way to protect sensitive data, if there is no respect between nations cyber war can be the scenario.
15
ZERO-DAY
It is known that practically all system has security flaws (programming problems that give individuals opportunities to explore), many of these vulnerabilities have not been discovered yet, and hundreds are corrected every month through the packages available for organizations affected, sometimes new versions and updates.
16
BLACK MARKET
Behind this scenario, there is a market for exploits and zero-day attack.
Many Blackhats, choose to sell their exploit for profit instead of reporting to the Vendor.
Furthermore, some companies buy unknown bugs to explore your competitors or spy on their customers.
It is necessary the evolution of our thinking to understand and position itself as a player to combat threats.
17
18
HACKER SCENE
Now let's make a comparison with the real world:
Think that in war the soldier uses binoculars to view, understand and explore your target without common citizens know.
In the field of cyber-security is the same, thousands of zero-days are being exploited without proper perception.
19
PERSPECTIVE
According with The Bloomberg: "NSA Said to Exploit Bug Heartbleed for Intelligence for Years“
This critical extremely programming flaw in the OpenSSL has been discovered that exposed the cryptographic keys and private data from some of the most important services and millions of websites on the Internet.
20
21
“The flaw can potentially be used to
reveal not just the contents of a secured-
message, such as a credit-card
transaction over HTTPS, but the primary
and secondary SSL keys themselves. This
data could then, in theory, be used as a
skeleton keys to bypass secure servers
without leaving a trace that a site had
been hacked.” (ZDNET)
MAN IN THE MIDDLE
The flaw is contained in several versions of OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption, if exploited, the bug(CVE-2014-0160) could allow attackers to monitor all information passed between a user and a Web service or even decrypt past traffic and to collect.
22
HOW TO FIX HEARTBLEED BUG
Upgrade the OpenSSL version to 1.0.1g
Request revocation of the current SSL Certificate
Regenerate your private Key
Request and replace the SSL certificate
To Change your password
A large part of companies and people choose to leave their data will “cloud computing” way, but…
23
Why use Cloud Computing?
For companies with critical data that have a growing network, migrating to the 'cloud' has become a necessity.
This migration brings many benefits, such as reducing costs and skilled labor.
It is important to remember that cloud computing also offers risks and concerns like any other technology.
25
Practical ways to increase
security in the Cloud I. Set access control: Set different users with different
privileges. Example: A database administrator will have restricted access only to the maintenance of the database.
II. Protect most critical data: Set protection (encryption) in the most sensitive data including server and monitoring systems services.
III. Choose Strong Passwords: Change passwords regularly, always mixing numbers and letters (uppercase and lowercase).
26
EVOLUTION OF THINKING
The recent leak suggests that the NSA was not only spying on foreign adversaries , but also commercial rivals of American businesses, something that other foreign companies and governments have worried about for years. There are those who are suspicious of Mr. Snowden and his allies, who contest the references taken from the leaked documents, and defend the role of the NSA.
28
THE OTHER SIDE OF HISTORY
On the other hand NSA claims they are protecting national dignity and keeping the world safe from threats. German politicians have secretly asked people to avoid American web companies if they want to keep their data secure, the Indian government is considering a ban on the use of Google's Gmail service for sending official communication, and technology companies in places like Russia and Switzerland have seen a considerable increase in inquiries from companies seeking a safe place for their data.
29
CURIOSITY
The largest technology companies, such as Facebook , Microsoft , Google and Yahoo, with their global horizons spread around the world, are the ones that more to lose… Reputation! NSA have supposedly requested(through actions by the Court of the Foreign Intelligence Surveillance America) permission to acquire detailed information, on the kind of data, orders, and requests. An information document "Bullrun" says the NSA had developed innovative capabilities against encrypted Web chats, phone calls, and also performed successfully attack techniques against Secure Sockets Layer (SSL) and virtual private networks (VPN).
31
PRIVACY
There are ways to get around this, use tools
that employ the best strategies in the case of
open source encryption. The advantage is that
the algorithm can be examined freely for
potential security vulnerabilities that can arise
throughout the tests.
32
WORKAROUNDS AND USEFUL TOOLS
GPG an open-source implementation of the OpenPGP protocol used to encrypt e-
mail communications. TrueCrypt (encryption on-the -fly OTFE) is used to encrypt
confidential files , folders and entire drives on your PC. It can create a virtual
encrypted disk or encrypt a partition. Individual algorithms supported by
TrueCrypt are AES, Serpent and Twofish additionally five different combinations of
cascaded algorithms are available : AES - Twofish , AES - Twofish - Serpent ,
Serpent - AES , Serpent - Twofish - AES and Twofish - Serpent . Use RIPEMD - 160,
SHA - 512 and Whirlpool as hashing functions . TAILS a Linux distribution built for
safety and anonymity, comes with numerous privacy and encryption tools which
let you surf the web (mostly) in an almost anonymous state. Messages off- the-
record, or OTR , an encryption protocol to encrypt and authenticate
communications and instant messaging also use others as TLS and IPsec.
Remember to also apply other software such as Silent Circle and BleachBit.
34
Advanced Encryption Standard
Regarding PRIVACY is important to know how to control the availability and exposure of your data. The AES algorithm was proposed to replace DES. NIST ("National Institute of Standards and Technology U.S.") held a competition the selection process began in 1997 and ended in 2000 with the victory of the Rijndael algorithm written by Joan Daemen and Vincent Rijmen. For it to be made an algorithm that would be called "Advanced Encryption Standard " that meets the following specifications: algorithm publicly defined; Being a symmetric cipher block; Designed for the key size can be increased; Deployable in both hardware and software; Powered freely, this algorithm Encrypts and Decrypts using an encrypted key and blocks, both sizes of 128,192 or 256 bits.
35
RSA
The encryption algorithm of RSA data, was named by three professors at the Massachusetts Institute of Technology (MIT), Ronald Rivest, Adi Shamir and Leonard Adleman, is considered one of the most successful implementation of asymmetric key systems, and is based on classical theories of numbers. In the view of researchers is considered among the safest, as it attempts to break it were unsuccessful. It was also the first algorithm to enable encryption and digital signature.
36
STRATEGY
The technology One-time Pad has been adopted by KGB agents.
Then, we can use “Top Secret Cryptography ”("When you don't even want the
NSA to know“).
End-to-End Encryption as OTR messaging(off-the-record).
After a security research, here are excellent tools: CT-46 One Time Pad, Solid
Encryption, OneTimePad Net, Emus encryption tool, tcplay, Cryptonite, TruPax,
EDS, RealCrypt, Luksus, TOR, Quick Crypt,Disk Utility, AxCrypt, FolderLock,
TCPstealth, 7-zip, Hide My Ass(VPN), AEScrypt, OpenAES, KGB archiver,
VSENcryptor, Lacie Private-Public, DiskCryptor.
37
SOLUTION
Build your own software!
That is important, TEST your encryption method.
The following video will show the algorithm that was developed based on RSA for our own safety.
38
SAFETY OF THE FIRST WORLD
Of all the encryption methods ever conceived, only one was mathematically proven to be completely safe.
It's called "Vernam cipher or one-time pad“, the value of all other cophers are based on computer security and math functions, this code is mathematically calculated to ensure autonomy and privacy. This means that the probability of breaking the encryption key using computer technology and algorithms currently available within a reasonable time, is not supposed to be extremely small, but impossible. Every cryptographic algorithm except the “One-Time Pad” can be broken given a certain amount of time, even though it may consume resources.
40
GET TO KNOW YOUR SECURITY LEVEL
How do you know that the encryption system you use is really safe?
Do you understand how it works?
Do you think if a government institution or military intelligence had a method of breaking cryptosystems they would advertise this fact?
Systems security is a matter of extreme importance for anyone with a natural distrust and for those attracted to power. The interception and decoding of personal communication can be literally a matter of life or death for some individuals.
41
HISTORY OF THE MOST ADVANCED
TECHNOLOGY
The result of the work of a new and innovative computer technology known as the quantum computer, an algorithm for factoring now exists for factoring integers in linear time giants. It was created in 1994 by Peter Shor of AT&T Bell Laboratories. An engine to process quantum Shor's algorithm could factor a hundred digit integers in a few arithmetic operations in a short amount time.
Functioning prototypes of quantum computers exist, information on the implementation of a scalable matrix inversion in the time optimized(SMITH). In 1917,during the First World War, The American scientist Gilbert Vernam was given the task of inventing a method of encryption that the Germans could not break through by AT&T.
42
ONE TIME PAD What was planned was the only proven unbreakable encryption scheme known to
date. In comparison with most encryption systems it is a very simple way. To use a
one-time pad, you need 2 copies of the "pad” (also known as the key), which is a
source of random data to the message you want to encode.
If the data on the ' pad' is not truly random, the security of the ‘pad’ is
compromised.
The 'pad' should never be reused, they are unique. The decisive factor is that the
'pad' may be used only once, the purpose is “OneTime”, that is the point of this
model. Its engine is based on the VOC technology (Virtual Cascade OTP) and fully
resistant to crypto analysis and is safer then “Acid Cryptofiler”, used by NATO.
This algorithm is designed for citizens who desire freedom and privacy, secret
agents, agencies that operate in foreign countries, journalists, lawyers, doctors,
police...
Random data on the ' pad' should never be generated only by software.
44
CONCLUSION
The One-Time-Pad should be developed through processes that access to the software and hardware of a truly non-deterministic nature. If you intend to provide or secure highly confidential information through insecure channels like a telephone and you need assurance that there will be no decrypted ciphertext intercepted then there is no choice but to use the Vernam algorithm.
Concluding , we have shown the most advanced technique for encryption . Single key cipher is an algorithm encryption where the plaintext is combined with a random key or " pad " that is as large as the plaintext itself and must be used only once , if the key is truly random , never reused , and kept secret , the one- time pad is unbreakable!
45
Final considerations: I would like to first thank God for providing me with knowledge and
enlighten me with innovative ideas, also to the listeners attention and focus in this presentation
and my dear friends Rafay Baloch and Priyanshu Sahay.
Greets: Ziaullah Mirza, Priscila Viana, Silvio Rhatto, Ana Marangoni and Talha Habib.
“Make simple something that, at the beginning, seemed complicated... this is what wisdom means ” Rafael Fontes Souza
QUESTIONS!?
Thanks!
Google+ Rafael Fontes
Contact: LinkedIn
