KILLER SERVICE

 

A MESSAGE FROM OUR FOUNDER AND CEO -

Customer service is a key theme in business today but inside the information security community those two words appear to be a lost art. Information security is often considered an "overhead" item for most companies and individuals; not something you really want to spend money on but recent events show you have to.

The concept that a customer experience with security is something to consider may come as a shock but the fact is information security is a "service" industry. So an information security experience that occurs when the "security" part is left out can be considered a catastrophe.

For example, the recent Infineon chip experience. Infineon chips are used in products manufactured by Acer, ASUS, Fujitsu, HP, Lenovo, LG, Samsung, Toshiba, Yubico and Chromebook vendors

In February, researchers at Masaryk University in the Czech Republic discovered a flaw in the RSA keys generated by Infineon chips.
The RSA encryption keys generated by Infineon's chips are used in government-issued identity cards, for signing software with verified signatures, inside authentication tokens, inside programmable smartcards and during secure browsing.

"A remote attacker can compute an RSA private key from the value of a public key. The private key can be misused for impersonation of a legitimate owner, decryption of sensitive messages, forgery of signatures (such as for software releases) and other related attacks," stated the Masaryk report.

The problem, according to the research report was not how the keys were generated but inside a faulty RSA key library loaded on the Infineon chips. To make matters worse, the flawed library has been present inside the Infineon chips since 2012.

The flaw does not affect the recent selection by Google to protect its VIP Gmail customers with U2F (Universal 2 Factor) tokens. The U2F token keys utilize a different library for verification called "EC" for Elliptical Curve encryption instead of the RSA library. The Masaryk researchers were adamant that the flaw they found was limited to the RSA library and did not impact U2F tokens.

However, many of the U2F tokens manufactured with Infineon chips have the flawed RSA library present even if it is only being used for logging into your VIP Gmail account. Thus, users should still replace them, in case they elect to use the keys for other purposes which require the flawed RSA library.

To say the Infineon chip customers are having a bad day is an understatement. For example, the entire nation of Estonia used the flawed Infineon chips in their brand new smart ID card. The 750,000 Estonian ID cards will have to be eventually scrapped and reissued to the entire population at great expense.

Yet another recent bad security experience is the Krack Attack inside your wireless router. The "Key Reinstallation Attack" or "Krack Attack" is a flaw in the WPA2 Wi-Fi encryption protocol that could allow hackers to intercept your credit card numbers, passwords, photos and other sensitive information. Ironically, the flawed Wi-Fi encryption is not an error like the Infineon chip but a design flaw. In short, almost everything Wi-Fi has this flaw because they were built that way.

Almost every router, smartphone and PC out there is flawed, according to KU Leuven University's Mathy Vanhoef and Frank Piessens, who found the design error. WPA2 encryption requires a unique key to encrypt each block of plain text. However, the hack described in the Krack Attack paper forces certain implementations of WPA2 to reuse the same key combination multiple times. Thus, an attacker can copy your Wi-Fi network and force your router to re-use the same old key and break in.

While the Krack Attack is bad, it would appear that so far only intelligence services such as the NSA have been able to exploit this little repeat attack on Wi-Fi. Documents provided by Edward Snowden indicate that the agents at Ft. Meade may have been able to exploit this flaw for almost a decade while the rest of us labored under the impression our wireless devices were safely encrypted.

This monopoly will not last, of course, now that the design flaw has been revealed, so expect the hacker community to act quickly and deploy attacks based on the published findings. Manufacturers are struggling to find the means to repair things, with some such as Microsoft already ahead of the game, deploying a fix a week before the flaw became public.

Consumers of some cell phones and Linux driven Internet of Things devices that depend on Wi-Fi may not be so lucky since manufacturers may not issue updates or be incapable of issuing updates.

These events come after the news that Microsoft broke the security in its popular Outlook email system. The "broke" part was pretty simple; whenever you sent a secure encrypted email - it also contained the unsecure "open" text version of your email.

You might as well have not bothered to send an encrypted email since Microsoft was sending your messages in the open anyway. This error is most damning since it is the equal of changing a tire on a car and leaving the lug nuts off. Microsoft is, of course, mum on this little flaw but it is known to have been inside Outlook for at least 6 months.

So, to sum up, the customer experience recently with information security can be ranked as poor. None of this is the fault of encryption because there were no errors found inside the actual formulas being used.

Instead, the errors occurred inside the implementation of the encryption; a flawed library, reusing the same key and sending the open text of a secure email. The solutions are also spread out over many bases; more testing of hardware encryption, better technical experts at protocol meetings and checking for obvious errors.

We apologize the "security" was left of the information security you were provided. We hope that didn’t ruin your information security experience. Your death will be monitored for training purposes...


CHARLES R. SMITH

CEO FOUNDER OF SOFTWAR INC.

 

ALL our products on hard copy CD - LINUX, Android and Windows in one package

ENTERPISE COMBO PACK ALL - Cypher with light sensor, PDA and introducing Choctaw encrypted Email


Contact Us: