(2013-03-04) The thing about encryption

I've just read an interesting article in "the Register". It's an interview Adi shamir (The 'S' in RSA by the way) who says that "I definitely believe cryptography is becoming less important". He says something that I have thought a lot about: the cost of an attack. What follows here is my take on this security problem: If you want to target a specific individual in an organization (this attack is known as a "spear phishing" attack) you try to get a hold of his/her computer. Trying to get the person to download malware or attacking his browser, email software or other "internet enabled" applications running on the computer seems to be better time spent than trying to break the cryptography of his VPN. Once done, you may want to install malware that stays as "invisible" (a rootkit could be used for this) and at a preset interval "phones home" with captured documents, passwords and recorded key strokes.

The best way to attack a target depends on the cost. Attacking a well implemented cryptography solution may simple be too "expensive" compared to trying to get the person behind keyboard to download malware through a web browser. Few hackers choose to attack the well guarded door, when there might just be easier to get in through the open window in the back yard.

There are situations when attacking the encryption may be superior to attacking a computer: remember improved attack against MS-CHAP version 2? In the late July of 2012, Moxie Marlinspike demonstrated an attack which more or less dealt the PPTP VPN (Which normally uses MS Chap v2 to facilitate the key exchange) a deadly blow. Or even worse: the inherently broken WEP standard.

I think the lesson to be learned is this: you must understand that attackers most likely will choose the open window over the closed door. Understand and attend to the easy attack vectors, the "low hanging fruit" if you will, first!

Read the article here

Tags: Security, cryptography
Posted: 2013-03-04 by Erik Zalitis
Changed: 2013-03-04 by Erik Zalitis

News archive