Ciphers and Codes, Oh My!

In previous posts we’ve looked at encryption and decryption, and talked about how messages are obscured, but at a very basic level, have you heard of ciphers and codes? Have you ever wondered about the difference between the two?

On a recent visit to Bletchley Park I came across a notice with the image shown above, so I thought I’d share it with you.

A code is a word, phrase or numbers which is converted into different words, phrases or numbers.  All the recipient needs is some kind of guide to explain what the codes mean – in the case of the image, “You Attack at Dawn” was encoded as “Buy Some Milk”, so the recipient would need to know what “Buy Some Milk” really meant.

As well as the example given in the image, there are others seen in movies, TV shos and elsewhere.  For example, the Wikipedia entry for Star Trek II: The Wrath of Khan explains the use of a code by saying “Though Khan believes his foe stranded on Regula I, Kirk and Spock use a coded message to arrange a rendezvous.” This was, as Kirk and Spock said, “by the book” where days became hours and hours became minutes.

A cipher transforms individual letters, or small groups of letters, into some other combination, perhaps even using symbols. To read the message, the enciphered (encrypted) text needs to be deciphered (decrypted) somehow.  This is what codebreakers do – they try to decipher the original message.

E is for…

Encryption

The process of scrambling a message or data as part of cryptography is called encryption. This is what makes the message impossible to read unless you know how to unscramble it using decryption. As the years have gone by this process has become more and more complicated, and there is heavy reliance on computing power and very advanced maths to make it work without risk of the message being compromised.

Endpoints

You may often hear the phrase endpoint when talking about computer equipment. The term refers to devices such as laptop and desktop computers, smartphones and tablet devices ie things which the end user uses to access data.

Exploit

Code written to take advantage of vulnerabilities in software is known as an exploit. It may be used to inject code, to run a different program, or to cause other damage to the system.

Extranet

An extranet is a controlled network environment which is used to give non company staff members access to company resources (for example, data files) typically through some sort of remote access solution.

C is for…

CAT5

We don’t really hear this term very often any more, but it refers to probably the most common form of network cabling in offices and homes over the last 15-20 years. It’s the cable you may connect from your home router to your laptop if you don’t use Wi-Fi – it’s almost certainly been provided with the router and you may have left it in the box.

The picture below shows the ends of a CAT5 cable. Recognise it?

CIA Triad

This is a common term used to refer to the three main pillars of information security, Confidentiality, Integrity and Availability. Information Security is all about addressing these three topics when applied to data.

Cloud

“The Cloud” is a term used by many, and the common reference for it is “someone else’s computer”. That’s a pretty good explanation, in that cloud services are provided by a range of companies where they have buildings housing lots of servers, and you effectively rent out one or more of those servers. The benefits are that you don’t have to manage the servers, procurement of parts or maintenance. You don’t have to worry about ensuring the power is always on and quite often your backups are done for you. You can also generally flex storage space up and down as you need it, rather than having to own lots when you don’t always use it. Cloud can therefore seem quite attractive from a cost point of view. The disadvantages – which are actually things you need to ask about – are that you don’t know who has access to your physical servers, you don’t know who you’re sharing server space with, and you don’t necessarily know which country your data is being held in. You therefore need to have a good handle on the security of data, and make sure your Governance / audit processes take this into account.

Confidentiality

Part of the CIA triad, confidentiality is concerned with making sure only authorised people have access to data.

For example, you would not want just anyone to be able to read your medical records: your doctor’s surgery or hospital will keep that information confidential.

Cryptocurrency

Put simply, cryptocurrency is an electronic form of currency which is not regulated, managed or overseen by any banks or governments. Based on cryptographic techniques, it uses blockchain technology to validate every transaction. There is no single point of control. Some stock exchanges and banks are starting to recognise the various currencies, such as Bitcoin, Ripple and Ethereum, and to actively trade in them, while others are banning cryptocurrency altogether. At the time of writing this article, values for the various currencies have been fluctuating massively and it’s likely that they will take some time to settle down.

Cryptography

Cryptography is all about scrambling data to make it unreadable or impossible to understand without first unscrambling it. The technical terms for these processes are encryption and decryption. Many methods have been used over the years to encrypt data.

Manual manipulation of messages eg using one time pads (as the name infers, these were sheets of paper which were to be used only once: messages were scrambled using the random set of letters on the pad and the recipient would have to be using the same pad to decrypt the message) has been done for at least 2000 years or more.

Computers have been increasingly used for this process in the last 70 years. Enigma was a machine used by the Germans in WW2 to securely swap messages and was the name given to the code which was broken by Polish mathematicians in the 1930s and again by a team led by Alan Turing at Bletchley Park during the war, as dramatised in the film The Imitation Game. Later in the war, a code called Lorenz was broken using a machine devised by Bill Tutte and built by Tommy Flowers. The machine was called Colossus and was the first real computer in the world. It was destroyed after the war and its creation kept secret until many years later, so an American invention in the late 1940s called ENIAC has until recently been thought to be the first computer.

Modern cryptography relies on complicated maths and massive processing power, which can only be provided by computers. Techniques are continuously evolving, and manual cracking of codes is nigh on impossible now.

Cyber

We all use the term, but what exactly is cyber? There are many different definitions, all of which are right. The most basic is probably “something to do with computers”. It’s important that all people in a business share the same definition, so you all know exactly what you mean by the term.

I believe that in 5 to 10 years we won’t be talking about cyber- anything. Cybersecurity, cyberwarfare etc will have lost the prefix and we’ll just be talking about security, warfare etc.

How does your security measure up?

I published this article on LinkedIn on Monday 3rd July 2017, and I’ve copied it here for you.

If you don’t know what you have, how can you measure it?

We read a lot these days about equipment and training to help combat cyber attacks and reduce risks, but I don’t see much about today’s topic. It’s really good that you have controls in place, with defence in depth etc, but how do you know they’re working?

It seems to me that we often forget to take into account the requirement to measure key components on our systems, so that we know when things are working well and when they’re not. This isn’t about audit, which gives you a snapshot, a point in time view. This is about consistent, regular (possibly even real-time) monitoring and reporting on systems.
The first step in this process is to identify what matters to you most – in many, if not all, cases this will be the data your systems hold. 
Then, look at the controls you have in place, and think about what information would give you assurance that your controls are effective. 
For example, if you have highly sensitive data on all your laptops, knowing which devices are not encrypted might be a really key measurement for you. In this instance, you may decide it is unacceptable for any laptops to be unencrypted, or you may decide you’re happy with a tolerance of 5% or 10%.
One of the fundamental features of reporting is knowing what you have, where it is, and what software is loaded on it. If we look at the recent ransomware outbreaks of Wannacry and Petya, we know that these malware packages make use of specific vulnerabilities which were addressed by specific patches. If your inventory is up to date, you can check for the devices missing those specific patches, and target them immediately, rather than checking every single machine. The same held true with Heartbleed and other outbreaks of a similar nature. 
Some would say that regular reporting on critical patches which have not been installed is a waste of time: personally, I think it’s a good metric and invaluable in deploying resources effectively. You should already have a patch schedule, but does it take into account Critical patches? If not, time to start thinking about being proactive with them and pushing them out outside the patch schedule.  
Similarly, you will probably want to know what devices have aged (out of date) antivirus signatures: if they’re not within a couple of days release then in this day and age you’re running a risk. Report / alert on devices where this is the case, or where AV isn’t running at all. (While you’re at it, you might want to investigate ways of determining whether AV is running but not scanning anything – I have seen this on several occasions.)
You will also probably want to baseline the traffic profile coming into and out of your network so that you know what looks normal, making it easier to spot unusual activity. Pay attention to the days and times that traffic is present: if you get a lot of traffic at 3 in the morning, why is that? 
Finally, when presenting this information to your senior management, don’t leave it as raw figures. Present it in terms of risk and impact, from a financial and reputational viewpoint. That makes it easier to understand why something needs to be done and should help with getting additional resources to address those risks. 

If you don’t measure what you have, how can you improve it?

Encryption

A while back I mentioned in my post on Backups that we needed to talk about Encryption, so here we are. First of all, I need to explain what encryption is. At its simplest, its a way of making a message unreadable by anyone other than the intended recipient.  

I should also point out that there is a difference between a code and a cipher, though they tend to be used interchangably. A code is where each word in a message is replaced with a code word or symbol, whereas a cipher is where each letter in a message is replaced with a cipher letter or symbol. In fact, when most people say “code,” they are actually referring to ciphers.

Why encrypt anything?

Why would you want to use encryption though? You may say that you’ve nothing to hide, but think about that for a second. Say you’re accessing your bank account – would you want anyone who is able to intercept the messages you send to be able to read them? What about if you’re paying for something online? Would you want someone to be able to read your credit card number and security code? What about if you’re in contact with your doctor or hospital about a medical condition? You get the idea I hope…

For these reasons, and many more, communications between our computers, our laptops, tablets and smartphones and a whole host of services, whether financial or health related, or just generally private, are encrypted for us.  If you’ve noticed some web pages start with https rather than http – that means that the former are encrypted and should be more secure.

How does it work?

Encryption has been around for millennia, though with the advent of more and more complicated maths and now computers, the processes have changed dramatically.  I’m not going to go into the detail of how it all works here, other than with a very simple example. 

Going back 2000 years, a common method of encryption would be to substitute one letter for another.  The most popular way of doing this was called a Caesar Cipher (after the Roman emperor), and worked like this:

First of all, write down the alphabet

ABCDEFGHIJKLMNOPQRSTUVWXYZ

Then, move the letters along a number of places. In the example below, I’ve moved them 3 places, so A now sits below where D was:

XYZABCDEFGHIJKLMNOPQRSTUVW

Write your message using the new letters.  In this example, HELLO would be:

LIPPS

As you can imagine, this would not take long to decode, but worked quite well in a time when a lot of people were illiterate.

Jump forward to today and you use huge prime numbers, really clever maths and quantum computers in an ever changing, rapidly evolving battle to keep messages confidential.

Encryption in history
There are two really interesting stories about encryption from World War II which I’d like to share with you.

The first is all about Bletchley Park and Enigma. I’m sure you’ll have heard of them, or at least of the film The Imitation Game, one of several which have covered the activities of Britain’s code breakers. Their work in breaking the German codes are said to have shortened the war by at least 2 years, but it’s relatively unknown that Enigma was actually broken in the mid-1930s by Polish code breakers. Not long before war broke out the machines were changed to make them more difficult to break. If you ever have the chance to visit Bletchley (it’s near Milton Keynes in England) you should do so -it’s a fascinating and absorbing day out.

The second story is less well known. Clever maths and computers are all well and good, but there’s another way to make messages unintelligible. Write them in a language that only the sender and recipient understand.  That’s what the Americans did, using teams of Navajo tribesmen. Other than members of the tribe, only a handful of other people spoke their language. The Navajo working in this way were known as Windtalkers, and were deployed throughout the Pacific. 

Passwords and encryption

Sorry, but I have to bring passwords into this.  You may have heard of plain text password storage – that’s where a password is stored and isn’t encrypted. Most systems now use a process called hashing, which is a form of encryption. This involves taking the password and applying some maths to it to get an unrelated string of text, which is then stored. When you log in again and enter your password, it is typically hashed again and that string compared against the one which has been stored. If you type the same passsword, the hashes will match, but even a small change will result in no match. Note that you don’t “unhash” the text.

Here’s an example to illustrate this. I used a common tool called an MD5 hash generator (try it, you can find free ones using Google), and ran it against the word password. The hash which was generated was:

5f4dcc3b5aa765d61d8327deb882cf99

I used the same tool, and this time used a capital letter P in Password. The result?

dc647eb65e6711e155375218212b3964

You can see that they’re totally different.

When hackers try to break into systems, they have ways of accessing the stored passwords, which as you now know are hashed. BUT – they have a pregenerated list of common passwords and even dictionary words with their associated hashes. It’s easy for them to scan the hashes looking for a match in their list. (The lists are called Rainbow Tables.) This is one reason why you should never use common passwords, or dictionary words: they’re the first ones to be tried by hackers and therefore the first to be broken.

Further reading

If you want to know more about the history and how things have changed, I’d recommend reading Simon Singh’s The Code Book, though be warned that towards the end the maths gets quite heavy! You’ll also learn more about Enigma, the Windtalkers, dead languages and about Alice, Bob and Eve (aka Mallory) who are used to explain a common form of encryption used today which uses a Public Key Infrastructure (PKI).

What’s the deal with passwords?

In an earlier post I talked about password hygiene, and about the challenges we have in keeping passwords secret.  I realised that I’d missed the opportunity to talk about why we need passwords – so I thought I’d cover it now.

Computers will – if set up “normally” – ask for a username and password after you switch it on.  This is a process called authentication (though more commonly we call it logging in or logging on), and in the early days (before the Internet existed) was seen as quite a good way of ensuring that the person entering the username is who they say they are.  One reason why this is important is so that there is some accountability on systems: if something bad has happened, it can often be tracked back to a specific username. The person who “owns” that user name can be held accountable – and those who don’t “own” it can be discounted as the culprit.  It’s therefore quite a good protection mechanism for the other users.

Once that single computer was connected to lots of others, and particularly when connected over the Internet, some people found a challenge in trying to access those remote systems by trying to guess usernames and passwords (at a very basic level this is what hackers try to do).  Passwords which are easy to guess mean that the bad guys don’t have to work very hard to access your account.  Once they have access to your computer, they will often try to see what else they can get access to, such as your bank account, financial details, holiday plans etc.

Have a look at the image below:

image

It’s obvious that the most common passwords (and therefore the easiest to guess) haven’t changed much over the previous 5 years.  This is bad!

The bad guys use a range of software tools to try to break (or crack) passwords, and generally speaking the longer the password, the better.  But, length alone isn’t the answer.  If the password is just numbers, the bad guys “only” need to try combinations of 0 to 9 in increasing lengths i.e. 0,00,01,02,03 etc. If it’s just lower or upper case letters ie a to z or A to Z, then there are 26 variables which they need to try before moving on to a longer length.

Mixing numbers, upper and lower case letters and special characters (eg !@£$%^) gives a much longer set of variables which need to be tried, and this mix is what is called a complex password.  In all cases, the longer the combination of these the better, but the industry standard is a minimum of 8 characters long.  Personally, I prefer at least 15 characters, because the maths shows that with current computing power complex passwords of that length are very, very difficult to crack

Obviously, the longer and more complex the password, the more likely you are to forget it, which is why good password hygiene is required.  Password hygiene can be compared to personal hygiene, and more particularly your underwear.

image

So – keep your passwords to yourself, change them regularly, and don’t show them to anyone else!

Password hygiene

By now, we probably all know that we should have different passwords for every account we have, and use different ones for each website.  You probably also know that they should be a mix of upper and lower case letters, numbers and special symbols. They should be more than 8 characters – and no that doesn’t mean $now White and the 7 Dwarves.  This is what’s known as password hygiene.

That’s all well and good, but how do you remember them all?  Most security professionals would express horror at the suggestion that you have to write them down, but unless the bad guys are actually in your house, they have no access to them if you do. One word of caution before you go and document everything – be sensible.

It might seem like a good idea having a book like the one in the image, but then the bad guys in your house know exactly what they’re taking!  If you are going to write your passwords down, make sure you lock the book away in a secure location where it’s not easily found by intruders.

An alternative is to use one of the many password management apps that are around, but as that’s connected to the Internet then by definition it is vulnerable – especially as it tends to require a master password and if you’ve not chosen a good one of those then your other passwords are easily found.  At the very least, make sure it encrypts your passwords with something like 128 or 256 bit AES.

As with all things, the choice is yours and based on your level of risk appetite.  Personally, I like the flexibility of the electronic app, but I’d combine it with a master password and another token, eg a PIN number sent to my mobile or use of a fingerprint reader.

What are backups, and when / why are they needed?

As I’m keeping this simple, I guess I should start by explaining what a backup is, and why it’s necessary. (Apologies to those who know, but if my blog item on Patching was Security 101, then this is surely part of IT 101!)

A backup is simply a copy of one or more files kept on a different device than your working version. You need one so that if the original file is lost, damaged or deleted, then you won’t have to recreate it from the beginning. Some files are irreplaceable e.g. family photos in the digital age (because we no longer get film negatives with our snaps) so we need to be careful.

Here’s a question: do you backup your home PC, laptop, smartphone, tablet etc on a regular basis?

  • Those of you using the iCloud or something similar – well done. (As an aside, and not part of this discussion – have you thought about how secure the data is there: after all, you don’t control who has access do you?) You probably just need to worry about how often you back up to that cloud storage and whether you have an Internet connection at the time you need it.
  • Those using iTunes or similar – that’s great, your device is backed up, but what if the place you backing up to e.g. your home PC dies?
  • As for the rest – do you use a thumb drive or external hard drive of some sort?

Another question to consider is: how often do your files change? If you have a document which you work on regularly e.g. accounts for a social club, it may be something you need to backup regularly. If it’s a treasured family photograph, or an invoice for an online purchase, the file won’t change but you should really have at least one backup copy.

There are many backup solutions available. Perhaps the simplest is to use an external hard drive or a thumb drive (also called a memory stick, USB drive, pen drive etc) and simply copy the files you want across to it. Make sure you keep the drive in a safe place (not next to your computer though: if the computer goes up in flames during a house fire, having files copied on a device sitting next to it probably won’t be any use) and, if the data on it is sensitive you may want to encrypt it. (Hmm, I think I’ll need to write a separate post on encryption!)

As you can infer from above, there are many cloud based services like the Apple iCloud or Microsoft’s Office 365 where you can hold all your files and not have to worry about messing around with thumb drives etc. Personally, if I was going to use them for some of my own sensitive files, I’d ensure I used some of their more secure services like two factor authentication.

That sounds scary and technical, but it’s basically a combination of a password and a code generated on a separate device (as they say in the trade, it’s something you know and something you have, which “proves” you are you). That device may be software on a phone, a pin code that’s sent to your phone or email, or it may be a physical thing like a fob which your bank provides: I have one which looks a bit like a small calculator which I have to slide my bank card into, and it gives a code which I have to type in on the website before I can access my account details.

There’s another time when you should seriously consider making sure you have backed up your data properly, and if you don’t do it at any other time then you should make sure you do it when … upgrading your device and / or the operating system software on it. Apple tend to force the backup if you use iTunes, because that’s the first thing they do before upgrading the software. Given that right now many people will be eligible to upgrade their Windows version for free (if it’s a personal device which is compatible and running specific earlier versions, it’s worth making sure your essential files are backed up before you start.