Crypto tells the bad guys what to target

As one of the architects of the popular PGP program, you’d expect Peter Gutmann from the Department of Computer Science at the University of Auckland to be extolling the virtues of encryption for protecting out data. Instead, he says “Encryption is the chicken soup of security, feel free to apply it if it makes you feel batter because it’s not going to make things any worse, but it may not make things any better either”.

Gutmann’s talk, which closed out the security stream at the Technology in Government summit held in Canberra during August 2015, took attendees through a tour of recent encryption “hacks” and history. He looked at how over the last decade crypto had ultimately failed. Even when the crypto was weak it was much easier to just bypass it.

During his lightning fast presentation Gutmann looked at some of the data exposed by Edward Snowden – in particular, documents relating to Project BULLRUN. Funded to the tune to of between $250M to $300M, this US government initiative was designed to develop "capabilities against a technology". Compared to other security programs BULLRUN was relatively inexpensive and delivered stunning results.

BULLRUN developed the capability to thwart TLS/SSL, HTTPS, SSH, VPNs, VoIP and webmail.

Gutmann's told attendees how sophisticated cryptography has been overcome. For example, he described how most of the major gaming consoles use crypto as a way of securing systems and limiting access to user data. However, all have been hacked to some degree. He noted that just a few years ago, the type of encryption applied to data within gaming consoles was reminiscent of systems governments and security agencies used.

Despite that sophistication, every gaming console, smartphone platform and, computer system had been hacked. And in every case it wasn’t the encryption that was broken but the systems surrounding the encryption.

This was highlighted by the revelation of how the NSA was intercepting communications shipped by Cisco to customers and installing surveillance equipment into the routers and switches. Gutmann noted Cisco CEO John Chambers had written to President Obama asking for this to be stopped and that Cisco was in no way compliant with the program.

Encryption tells bad guys what to target

Gutmann says that many hackers look at system, ignore the encrypted elements and simply attack the rest of the system. In fact, the presence of encrypted data is used as a pointer to where the “good stuff” he says.

Read more: Security skills deficit even hits ACCS as momentum builds industry, research collaborations

In summing up, Gutmann put a simple data point on the screen for everyone to reflect on:

Number of attacks that broke the crypto: 0

Number of attacks that bypassed the crypto: All the rest

"No matter how strong the crypto was, or how large the keys were, the attackers walked around it," he added.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags peter gutmannCryptodata encryptionEdward SnowdenTechnology In GovernmentencryptionProject BULLRUNDepartment of Computer ScienceTarget#techingovau

More about CiscoCSONSAPGPSSHTechnologyTwitterVoIP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts