C is for…

CAT5

We don’t really hear this term very often any more, but it refers to probably the most common form of network cabling in offices and homes over the last 15-20 years. It’s the cable you may connect from your home router to your laptop if you don’t use Wi-Fi – it’s almost certainly been provided with the router and you may have left it in the box.

The picture below shows the ends of a CAT5 cable. Recognise it?

CIA Triad

This is a common term used to refer to the three main pillars of information security, Confidentiality, Integrity and Availability. Information Security is all about addressing these three topics when applied to data.

Cloud

“The Cloud” is a term used by many, and the common reference for it is “someone else’s computer”. That’s a pretty good explanation, in that cloud services are provided by a range of companies where they have buildings housing lots of servers, and you effectively rent out one or more of those servers. The benefits are that you don’t have to manage the servers, procurement of parts or maintenance. You don’t have to worry about ensuring the power is always on and quite often your backups are done for you. You can also generally flex storage space up and down as you need it, rather than having to own lots when you don’t always use it. Cloud can therefore seem quite attractive from a cost point of view. The disadvantages – which are actually things you need to ask about – are that you don’t know who has access to your physical servers, you don’t know who you’re sharing server space with, and you don’t necessarily know which country your data is being held in. You therefore need to have a good handle on the security of data, and make sure your Governance / audit processes take this into account.

Confidentiality

Part of the CIA triad, confidentiality is concerned with making sure only authorised people have access to data.

For example, you would not want just anyone to be able to read your medical records: your doctor’s surgery or hospital will keep that information confidential.

Cryptocurrency

Put simply, cryptocurrency is an electronic form of currency which is not regulated, managed or overseen by any banks or governments. Based on cryptographic techniques, it uses blockchain technology to validate every transaction. There is no single point of control. Some stock exchanges and banks are starting to recognise the various currencies, such as Bitcoin, Ripple and Ethereum, and to actively trade in them, while others are banning cryptocurrency altogether. At the time of writing this article, values for the various currencies have been fluctuating massively and it’s likely that they will take some time to settle down.

Cryptography

Cryptography is all about scrambling data to make it unreadable or impossible to understand without first unscrambling it. The technical terms for these processes are encryption and decryption. Many methods have been used over the years to encrypt data.

Manual manipulation of messages eg using one time pads (as the name infers, these were sheets of paper which were to be used only once: messages were scrambled using the random set of letters on the pad and the recipient would have to be using the same pad to decrypt the message) has been done for at least 2000 years or more.

Computers have been increasingly used for this process in the last 70 years. Enigma was a machine used by the Germans in WW2 to securely swap messages and was the name given to the code which was broken by Polish mathematicians in the 1930s and again by a team led by Alan Turing at Bletchley Park during the war, as dramatised in the film The Imitation Game. Later in the war, a code called Lorenz was broken using a machine devised by Bill Tutte and built by Tommy Flowers. The machine was called Colossus and was the first real computer in the world. It was destroyed after the war and its creation kept secret until many years later, so an American invention in the late 1940s called ENIAC has until recently been thought to be the first computer.

Modern cryptography relies on complicated maths and massive processing power, which can only be provided by computers. Techniques are continuously evolving, and manual cracking of codes is nigh on impossible now.

Cyber

We all use the term, but what exactly is cyber? There are many different definitions, all of which are right. The most basic is probably “something to do with computers”. It’s important that all people in a business share the same definition, so you all know exactly what you mean by the term.

I believe that in 5 to 10 years we won’t be talking about cyber- anything. Cybersecurity, cyberwarfare etc will have lost the prefix and we’ll just be talking about security, warfare etc.

Encryption

A while back I mentioned in my post on Backups that we needed to talk about Encryption, so here we are. First of all, I need to explain what encryption is. At its simplest, its a way of making a message unreadable by anyone other than the intended recipient.  

I should also point out that there is a difference between a code and a cipher, though they tend to be used interchangably. A code is where each word in a message is replaced with a code word or symbol, whereas a cipher is where each letter in a message is replaced with a cipher letter or symbol. In fact, when most people say “code,” they are actually referring to ciphers.

Why encrypt anything?

Why would you want to use encryption though? You may say that you’ve nothing to hide, but think about that for a second. Say you’re accessing your bank account – would you want anyone who is able to intercept the messages you send to be able to read them? What about if you’re paying for something online? Would you want someone to be able to read your credit card number and security code? What about if you’re in contact with your doctor or hospital about a medical condition? You get the idea I hope…

For these reasons, and many more, communications between our computers, our laptops, tablets and smartphones and a whole host of services, whether financial or health related, or just generally private, are encrypted for us.  If you’ve noticed some web pages start with https rather than http – that means that the former are encrypted and should be more secure.

How does it work?

Encryption has been around for millennia, though with the advent of more and more complicated maths and now computers, the processes have changed dramatically.  I’m not going to go into the detail of how it all works here, other than with a very simple example. 

Going back 2000 years, a common method of encryption would be to substitute one letter for another.  The most popular way of doing this was called a Caesar Cipher (after the Roman emperor), and worked like this:

First of all, write down the alphabet

ABCDEFGHIJKLMNOPQRSTUVWXYZ

Then, move the letters along a number of places. In the example below, I’ve moved them 3 places, so A now sits below where D was:

XYZABCDEFGHIJKLMNOPQRSTUVW

Write your message using the new letters.  In this example, HELLO would be:

LIPPS

As you can imagine, this would not take long to decode, but worked quite well in a time when a lot of people were illiterate.

Jump forward to today and you use huge prime numbers, really clever maths and quantum computers in an ever changing, rapidly evolving battle to keep messages confidential.

Encryption in history
There are two really interesting stories about encryption from World War II which I’d like to share with you.

The first is all about Bletchley Park and Enigma. I’m sure you’ll have heard of them, or at least of the film The Imitation Game, one of several which have covered the activities of Britain’s code breakers. Their work in breaking the German codes are said to have shortened the war by at least 2 years, but it’s relatively unknown that Enigma was actually broken in the mid-1930s by Polish code breakers. Not long before war broke out the machines were changed to make them more difficult to break. If you ever have the chance to visit Bletchley (it’s near Milton Keynes in England) you should do so -it’s a fascinating and absorbing day out.

The second story is less well known. Clever maths and computers are all well and good, but there’s another way to make messages unintelligible. Write them in a language that only the sender and recipient understand.  That’s what the Americans did, using teams of Navajo tribesmen. Other than members of the tribe, only a handful of other people spoke their language. The Navajo working in this way were known as Windtalkers, and were deployed throughout the Pacific. 

Passwords and encryption

Sorry, but I have to bring passwords into this.  You may have heard of plain text password storage – that’s where a password is stored and isn’t encrypted. Most systems now use a process called hashing, which is a form of encryption. This involves taking the password and applying some maths to it to get an unrelated string of text, which is then stored. When you log in again and enter your password, it is typically hashed again and that string compared against the one which has been stored. If you type the same passsword, the hashes will match, but even a small change will result in no match. Note that you don’t “unhash” the text.

Here’s an example to illustrate this. I used a common tool called an MD5 hash generator (try it, you can find free ones using Google), and ran it against the word password. The hash which was generated was:

5f4dcc3b5aa765d61d8327deb882cf99

I used the same tool, and this time used a capital letter P in Password. The result?

dc647eb65e6711e155375218212b3964

You can see that they’re totally different.

When hackers try to break into systems, they have ways of accessing the stored passwords, which as you now know are hashed. BUT – they have a pregenerated list of common passwords and even dictionary words with their associated hashes. It’s easy for them to scan the hashes looking for a match in their list. (The lists are called Rainbow Tables.) This is one reason why you should never use common passwords, or dictionary words: they’re the first ones to be tried by hackers and therefore the first to be broken.

Further reading

If you want to know more about the history and how things have changed, I’d recommend reading Simon Singh’s The Code Book, though be warned that towards the end the maths gets quite heavy! You’ll also learn more about Enigma, the Windtalkers, dead languages and about Alice, Bob and Eve (aka Mallory) who are used to explain a common form of encryption used today which uses a Public Key Infrastructure (PKI).

The Code Book

Having seen Simon Singh explaining how the Enigma machine worked while at a conference, I picked up this book. It charts the history of codes and ciphers from well before Roman times to the current day, and shows how they have developed over time. It was also very useful to read the difference between code (replacing words) and ciphers (replacing letters): most of what was discussed in the book fell into the latter category.

Singh writes in a very clear and informative manner, and makes the history of the topic interesting and at times exciting. I have to confess that some of the maths which was used went over my head, though I understood the general meaning in what was being said.

I was fascinated by the work done to understand the Linear A and Linear B languages, and the fact that initially scholars of Ancient Greek were convinced that neither text were part of that language: it must have been incredible for the person who finally worked out that Linear A was indeed Greek, albeit 500 years older than that used by Homer 3000 years ago.

The assertion that the most unbreakable code was that used by the Navajo code talkers in the Second World War is quite an interesting one. I understand that if you use a language that no-one else understands, then you improve the chances of it not being understood, but the fact that new phrases had to be introduced for English words which don’t appear in the native language must introduce some opportunities for the code breakers to make a start. Some form of frequency analysis would have some effect, but I think that the differences between Japanese kanji and English Roman script had something to do with it too.

The development of near-identical public key cryptography technologies by mathematicians in the US and the U.K. at approximately the same time is also an interesting revelation. (Diffie-Helman and RSA were both more or less simultaneously discovered on either side of the Atlantic, though GCHQ were slightly ahead in each case.) The fact that the cryptologists in the UK were based at GCHQ and therefore unable to share any of their work externally (or to review external solutions) shows I think that given enough time any technology can be “discovered” by different people in different locations.

In summary, I believe that this book is a good introduction to many different concepts, along with many good examples of each concept. It is well worth reading.