Wednesday, June 27, 2018

About the Cyber Kill Chain

The Cyber Kill Chain introduced by Lockheed Martin is a cybersecurity model to describe, in general, how a computer intrusion (hacking) through IT network is carried out in 7 distinguished stages. It was developed based on military attack kind of thought.

Anyhow, there is no common SOP in cyber-attack, and hackers are not necessary following the Cyber Kill Chain of planning and action in their attacks.

This model is however useful to plan for cyber-defense strategy and measure, and also for cyber-threat analysis to a networked computer system.

The 7 stages in Cyber Kill Chain are:

  • Reconnaissance - the victim is observed, analyzed and studied by the attacker.
  • Weaponization - tools are developed or obtained to exploit the weaknesses found in the victim.
  • Delivery - the "weapon" is deployed to the targeted victim.
  • Exploitation - once the "weapon" is successfully deployed, it will start working by looking for vulnerabilities in the victim's computer system.
  • Installation - at the stage, access is silently obtained by the "weapon". It will find it way to communicate to the attacker using the computer network. Normally, a backdoor is established to enable such linkage.
  • Command and Control - remote access to the victim's computer system is made available to the attacker. The attacker can take over control of the compromized system and issue command to it.
  • Actions on Objectives - with the control, the attacker is able to proceed with the objectives of the attack, such as data exfiltration, data destruction, data encryption for ransom, etc.



With reference to this model, the defending party can plan for countering the attack by the famous 4 Fs strategy, namely:
  • Find the enemy
  • Fix the enemy
  • Fight the enemy
  • Finish the enemy

Thursday, June 21, 2018

Cryptography - the essential technique in today computing world

Cryptography is the method of converting plaintext information into non human-readable form called ciphertext through a process called encryption, and reverse process to convert the ciphertext back to original form called decryption.

Today, knowledge in cryptography is crucial for every computer programmers and computer engineers. It is applied in everywhere in the cyberspace and it is a sin of omission if not applied properly to provide cybersecurity protection in the areas of confidentiality, integrity, authentication, and non-repudiation.

Cryptography is the integral part of blockchains and crypto-currencies such as Bitcoin, Ethereum, etc. It is used to secure data transmission in WiFi communication, 4G LTE network, HTTPS web access, etc. It is also extensively used to secure file system in Apple iOS, Windows Bitlocker, SSD encryption, etc. It enables the implementation of digital signature.

Cryptography makes use of digital key(s) to perform the encryption and decryption process. There is one kind of cryptography called hashing which does not make use of any key, and the ciphertext is non-reversible to original information.


Keyless Cryptography (Hashing)
Hashing is a one way function that convert its input message into irreversible string of text called hash or digest, which normally has a length much shorter than the input message. The key concept of hashing is that the generated digest is unique to the input message, so that same input message will always generate the same digest, and different input message will not generate the same digest.

Hashing is commonly used:
  • To store password for identity authentication
  • To generate checksum or fingerprint to verify if the original information has not been tampered or changed
  • In database and data storage for more efficient data searching
  • In computer geometrics and computer graphics

Examples of hashing function are:
  • MD5 (Message Digest 5) - designed to replace earlier version of MD2 and MD4. Still commonly used despite MD6 has been around to replace it.
  • SHA-3 (Secure Hash Algorithm 3) - winner of the NIST hash function competition.  Commonly used in digital certificates. Supersedes earlier version of SHA-0, SHA-1 and SHA-2.
  • BLAKE2 - Used in RAR compressed file checksum. Supersedes earlier version of BLAKE.


Symmetric Key Cryptography (Private Key Cryptography)
The same private key is used for message encryption and decryption.

It is commonly used in secured data transmission, such as SSH, WiFi with password, 4G LTE communication, etc.

Examples of symmetric key cryptography are:
  • DES (Data Encryption Standard) - designed by IBM in 1970's. Modern supercomputer is able to decrypt DES encrypted information within just a few days. Still commonly used in smart cards, SIM cards, etc.
  • 3DES (Triple DES) - more secure version of DES.
  • IDEA (International Data Encryption Algorithm) - commonly used in Pretty Good Privacy (PGP) email signing and secured email transfer.
  • ThreeFish - is the successor of Blowfish and TwoFish. Commonly used in SSH secured remote access.
  • RC6 (Rivest cipher 6) - designed by RSA Security, patent just expired in 2017. Commonly used for secured data transmission and in bank ATM machines. Is the successor of RC2, RC4, RC5.
  • AES (Advanced Encryption Standard) - commonly used by USA government and commercial sector to protect top secret documents.

Asymmetric Key Cryptography (Public Key Cryptography)
Consists of a key pair. The private key that should be kept secret with the owner, and the public key that needs to be known by others.

In the scenario of digital signing, the private key is used to sign the digital document, and the public key is used to verify the digital signature.

In the scenario of data encryption, the public key is used to encrypt the document to be sent to the private key owner, and the encrypted document can only be decrypted using the corresponding private key.

It is commonly used in Secure Socket Layer (SSL), Transport Layer Security (TLS), S/MIME, digital signature, blockchains and crypto-currencies.

Examples of asymmetric key cryptography are:
  • RSA (Rivest-Shamir-Adleman) - named after its 3 designers. Patent expired in 2000. Compared with DSA, it is slower in digital signing and faster in verification.
  • DSA (Digital Signature Algorithm) - patented but can be used royalty free. Commonly used in SSH and digital signature. Compared with RSA, it is faster in digital signing and slower in verification.
  • ECC (Elliptic Curve Cryptography) - derived from DSA and based on Elliptic Curves theory. Commonly used in Bitcoin, Ethereum, iOS, etc.
  • Diffie-Hellman - is used for public key exchange and not for digital signing or data encryption.

Tuesday, June 12, 2018

Is your organization still following the outdated password policy?

If you were told or forced to set up a so-called "strong password" which required to be determined as complex (must consist of combination of uppercase letters, lowercase letters, numbers, special characters, and so on...) just to safeguard your user account from password guessing, peeping, and/or brute-force attack, the policy is outdated and should be obsoleted as soon as possible.

If you were also told or forced to change your password periodically, let's say every month or so, that thinking also has been admitted by certain cybersecurity experts to be foolish and will not make your account more secured.

Indeed, it only serves to make your life more difficult, and makes your account much more vulnerable if you eventually did either one of the following attempts to help remembering your latest password:

  • Write your latest password on Post-It notes or inside your diary book.
  • Tape your password somewhere near your computer (similar way to what character Nolan Sorrento in movie Ready Player One did).
  • Keep your password in a computer file (text, Word, Excel, ...), either password protected or not.
  • Store it with your web browser's auto-complete feature.
Apparently, the outdated password policy that required complex password and frequent change was derived from a 2003 National Institute of Standards and Technology (NIST) report namely "NIST Special Publication 800-63. Appendix A."

Interestingly, it is also NIST who has overthrown its own password guidelines in its recent NIST Special Publication 800-63A report namely "Digital Identity Guidelines:  Enrollment and Identity Proofing Requirements." released in June 2017. You can download the complete report here for free.

The new report has made the following important suggestions:
  • Verifier SHOULD NOT impose annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. They make most people remembering password by Post-It notes or computer file. It's better to allow people to use pass phrases.
  • Verifier SHOULD NOT bother user with password expiration. That was an old idea for an old way we used computers. Only force a password change when there's indication of compromise.
  • SHOULD use dual factor authentication (2FA). This is the proven to be the more robust and secure way.
Dual factor authentication adds an additional layer of security by requiring not only the password, but also another piece of information that only the account holder has or know. One of the most commonly used method for dual factor authentication is one-time-password (OTP) which could be  event-based (OTP is generated by triggering an event, such as a keypress, explained in RFC 4226) and/or time-based (OTP will keep on changing by time, explained in RFC 6238).

The account holder need to read the OTP from a token, and use it for successful account login. The token can be generated from a hardware device such as key fob, display card, USB authentication key, OCRA keypad, etc. It can also be generated and delivered to the account holder by software, in the form of SMS, email, mobile app display, push app notification, etc.

Note that the use of SMS or email for OTP is also outdated method which is vulnerable to trojan horse interceptions and/or malicious software crack-in. You can search the Internet for the following keywords to read more about how insecure to use SMS for OTP:
  • ZeuS-in-the-Mobile (ZitMo)
  • SpyEye-in-the-Mobile (SPITMO)
  • Android.Bankosy
Besides, the OTP in SMS and email is very likely to be sent in plain text form, which subject to ISMS threats of interruption, interception, modification and fabrication along its way.

Therefore, all organizations should update their password policy for all users to be:
  • Use pass phrases instead of password
  • Use dual factor authentication with secure token (avoid using the outdated SMS or email method)

Hint: Click on the "Older Posts" link to continue reading, or click here for a listing of all my past 3 months articles.