in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Weak Encryption: Researchers Crack Encryption On Australian Public Transportation

Researchers revealed at an Australian security conference that they cracked the encryption used by a state public transport system for issuing tickets (read: free rides).  Unlike the encryption algorithm used by AlertBoot laptop encryption -- AES-256, which is open to public poking -- the transportation system was using a custom-designed one.  Usually, that's a bad sign.  The other bad sign?  It's decades old.  This particular public service had them both.

Older Than I Am - A Bad Sign for Crypto

The researchers did not reveal which transportation system it was (although, that hasn't stopped people from speculating), but noted that the encryption system being used was very old:

"The custom cryptography was made before I was born." [scmagazine.com.au]

At that rate, it's no wonder that one week's worth of work and $300 was all it took to gain access to what could possibly be free rides for life (or at least, the foreseeable future).

Encryption is susceptible to "inflation" of sorts.  "Techflation," if you will: the relentless march of technology means that many things that were brand new just a number of years ago are considered average or even below average today, and will be positively ancient in ten years.  Encryption, while taking a different form from shiny new things, is no different.

Properly vetted encryption algorithms start out strong (why would anyone use weak security, right?) but become weaker over time as technology progresses.  The algorithm itself doesn't change, but the tools that can crack it do.  I have no sources for the speculation I'm about to make, but I'm guessing that today's digital watch would probably crack whatever encryption was being used back in the 1970s.  This makes sense when you consider all the reports pointing out how today's digital watches have more computing power than computers from that era.

Right now, the encryption standard is AES, and chances are a digital watch created 30 years from now won't be able to crack it.  Per some calculations, an attempt to crack it would require more energy than what is available in the universe.  Other calculations make it less dramatic, but still guarantee at least 30 years worth of protection before having to slowly find a replacement.  If something does crack AES -- and turns into weak encryption -- it will probably be a supercomputer, not some flashing device on someone's wrist.

The Other Bad Sign: Custom, Not Open to the Public

Generally speaking, encryption algorithms that are open to public inspection are almost always more secure than custom-made ones.  The reason for this can be likened to Darwinian survival: there are more people trying to break the algorithm, using their own approaches.  This is like an animal having to survive against all the different dangers nature is throwing its way (weather, predators, lack of prey, terrain, etc.); the animals that survive are bound to be strong.  Likewise, an encryption algorithm that survives a public assault is generally strong.

Custom encryption jobs, on the other hand, are like animals that are raised in captivity.  They're bred and raised in a safe environment, and they're big and strong, but the creatures will never make it on the outside.

Of course, not all custom jobs are bad.  If you hire the guy who designed a successful, open-to-the-public encryption algorithm to create a custom one for you, chances are it will work as intended without any surprises.  But even then, you can't beat the sense of security coming from a bank of professional researchers looking to break it and failing.


Related Articles and Sites:
http://www.scmagazine.com.au/News/320026,researchers-crack-aussie-state-transport-system-get-free-rides.aspx
http://it.slashdot.org/story/12/10/22/0755244/aussie-researchers-crack-transport-crypto-get-free-rides

 
<Previous Next>

BYOD Encryption: Android App Shows Encryption Faults

More On TD Bank Data Breach Involving Backup Tapes

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.