in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption On Cell Phones Broken?

While you won't have to do it often, there will probably be a point in your lifetime when you've got to upgrade your data encryption software.  And, I emphasize, you won't have to do it often, perhaps never at all, but you will have to when required...or suffer the consequences.

It seems to me that some people just don't get the message, though.

GSM Encryption Effectively Broken

Mr. Karsten Nohl (Dr. Karsten Nohl?  The guy does have a Ph.D. after all), has announced to the world that the widely-used encryption behind GSM, the A5/1 algorithm, is effectively broken.

People have taken their stands, with the industry noting that as of right now it's just a theoretical possibility, and security experts saying it's more than your regular theoretical possibility.  They're not saying it's a practical possibility--yet.  One of them has noted that companies should "assume that within six months their organizations will be at risk."

Who's right?  More probably than not, the security experts that are being cynical.  However, the point is kinda moot.  There's already a more secure encryption method called the A5/3, a 128-bit successor to the 64-bit code powering the A5/1.  It's just a matter of using it, something that hasn't happened because most cellular network operators have declined to make the investments (hm...isn't that beginning to sound familiar?  I'll explore that in the next section).

Based on the New York Times story, it sounds like a rainbow table attack is being used in this case, where tables of preconfigured information are used, seriously cutting down on the time required to gain illegal access to protect information.

An entry in Wikipedia under GSM refers to an announcement by Pico Computing--back in February 2008--that such an attack was possible.  Think about it.  A second announcement which, I assume, includes nearly two more years of research?  This issue has grown wings and flown away from the theoretical platform forever.  People should be worried here.

Denial, Denial, Denial...That's What Happened in TJX Fiasco, Too

The cellular industry has decided to come with their denial guns blazing:

This is theoretically possible but practically unlikely,” said Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption. “What he [Nohl] is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.”

and

“We strongly suspect that the teams attempting to develop an intercept capability have underestimated its practical complexity,” GSM said in a statement. The association noted that hackers intent on illegal eavesdropping would need a radio receiver system and signal processing software to process raw radio data, much of which is copyrighted.

Cracking encryption is illegal--fine, I'll give you that.  Copyrights and other "protections" in place? Effective against law abiders.

Since when has terms like "copyright" and "illegal" stopped criminals?  Don't they, by definition, do illegal stuff?  This is more than philosophical musing.  Without researchers like Nohl, we would have no idea what the bad guys could possibly do.

I mean, the industry certainly isn't doing its job--note how more secure encryption, already available, is not being adopted because it's going to take money to upgrade the networks.  Clearly they need a push.

Other complaints on my part regarding the GSM industry's points:

  • "No one else had broken the code since its adoption" - Uh, no.  No one else has broken the code and made an official announcement of it.  Again, it's up to researchers like Nohl that we're able to see what types of weaknesses are possible out in the wild.  Criminals don't go around making such announcements unless they're stupid, a factor many are unwilling to rely on for their security needs.

  • The talk about illegality and copyrights - A rehash of what I said above, but criminals don't care about legality and copyrights.  Heck, if the music industry has shown us anything is that non-criminals don't care about legality and copyrights.  It's not just bad people who'll ignore such issues; regular joes will do so as well.  Copyrights and legal statuses--they provide ammo for prosecution and lawsuits; they don't really protect in the sense of "prevention" when it comes to criminal deeds.

    Also, think about it: If only law abiding people composed the entire population of the world, what's the use of encryption?  Just make the eavesdropping of cellular phone calls illegal, and end of story.  Oh, you know what?  It already is.  And yet we're discussing encryption.  I guess there's a reason why the existing encryption is in place--and by extension, why old, weak encryption standards must be replaced with stronger ones.

Remember how I said that the issue sounds familiar?  That's because the story parallels what turned out to be the greatest data breach in history to date: TJX.

In the TJX data breach, the head honchos decided not to upgrade their wireless communications encryption from WEP (old wireless internet security technology) to a newer, more secure standard.  They knew their encryption was weak and they didn't have the money to make the upgrades.  Then disaster struck.

Granted, the parallels aren't exact.  But, the denial of the security threat; the continued use of what proved to be weak encryption; and the decision not to pursue better security over money issues?  All there, and all leading to a predictable end.

Rarely will a person have to upgrade in their lifetime the encryption algorithms they're using.  However, it behooves people to do so when the writing is on the wall.  And the writing is on the wall.  Heck, there's a spotlight on the writing on the wall.  It's just that most will ignore it until the flashing arrows and siren calls are added.


Related Articles and Sites:
http://www.nytimes.com/2009/12/29/technology/29hack.html?_r=2&pagewanted=all
http://en.wikipedia.org/wiki/GSM
http://en.wikipedia.org/wiki/Rainbow_table
http://blogs.techrepublic.com.com/wireless/?p=206

 
<Previous Next>

An Alternative To Deleting Data? The Rfiddler Looks Cool, Sounds Cool, Perhaps Can Do The Job

Data Security: PSU Alerts 30,000 Of Data Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.