Operations
3/1/2016
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Better Locks Than Back Doors: Why Apple Is Right About Encryption

What the landmark privacy case and a new documentary about Stuxnet both have to say about the encryption versus government oversight debate.

There’s never a shortage of headlines in the world of cybersecurity and recent weeks have been no exception. I’m referring to the landmark privacy case between the FBI and Apple and the Berlin debut of the documentary “Zero Days,” which delves into the 2010 Stuxnet worm. The two events have brought the encryption vs. government oversight debate into the public arena in a very real way.

At first glance, these are two separate issues. One is allowing the government to get into a device of a suspected terrorist. In the other case, we’re talking about government-backed cyber-warfare. However, I believe the parallels are clear, and in my opinion, both cases have simple resolutions: If governments really want to keep their citizens safe, they need to focus more on defense than offense. 

Offensive cybersecurity tactics offer short term benefits but have long term consequences. A government focused on offense is motivated to hide vulnerabilities for later exploit. This puts every citizen at risk, as bad actors will surely find these holes too.  

Governments too focused on offense are also motivated to weaken security for their own purpose. To use the Apple case as an example, the FBI wants to remove security features designed to keep criminals out of consumer devices for the sake of learning more about one dead terrorist. Unfortunately, purposely weakening defense in this way could expose new risks, which no one can guarantee won’t fall into the wrong hands. This also applies to governments hoping to maintain some “master key” for public encryption solutions.

Not having seen the “Zero Days” documentary yet (it releases in the US in May), I can’t yet comment on its accuracy or content. That said, I’m not surprised to hear that governments—including our own—are planning, or have already carried out offensive cyber campaigns.

If you’ve followed information security the past five or so years, you've seen plenty of evidence showing governments creating “red teams” trained to launch computer and network attacks. You’ve seen the details about Operation Olympic Games, experts have analyzed Stuxnet, you’ve followed the Snowden leaks, you’ve seen government cyber budgets expand, and most recently, you’ve probably heard Ukraine accuse another country of attacking its critical infrastructure. With all of this evidence, it should not come as a surprise that governments are considering cyber attacks… However, it should concern you greatly.

These types of “cyber” attacks—ones that target critical infrastructure and pose physical, real-world ramifications—are not only possible but increasingly probable. Stuxnet proved that. Furthermore, I believe digital attacks can result in real human death. Many of our most critical systems rely heavily on computers and cyber networks, which don’t always have the protection they should. Alex Gibney’s Stuxnet documentary will reportedly suggest that the US government planned to launch a digital attack on the Fordo nuclear facility in Iran. While such a plan might seem like science fiction to some, and would certainly pose difficulties (the facility has more defenses than most), the past has proven that motivated, persistent attackers with money can often breach the strongest defenses. 

Are the governments considering launching such attacks really prepared to defend themselves from these same attacks? The short answer is no. Even the former director of the CIA and NSA says that we’re not prepared. In fact, with calls to create “backdoors” and encryption master keys, they’re actively tearing down our defenses, thus making everyone’s problem worse. 

Government, heal thyself
Countless government breaches, like ones affecting the State Department, White House email, and the OPM, have proven attackers can infiltrate government networks and hijack the accounts of key government employees, showing government defenses are less than perfect. Shouldn’t they be spending more time building their defenses rather than knocking their citizens’ down?

When governments make commercial software and public networks part of their "cyber battleground,” they expose private citizens and organizations to the “war.” Unfortunately, I expect future “state-sponsored" attacks will include private targets, like we saw with Sony Pictures in 2014. With governments weakening the security of consumer products, how will their citizens survive such attacks?

The very act of promoting a red team, responsible for carrying out cyber attacks, is at odds with the motivation of building a defense team. By definition, a red team is motivated to find ways to defeat defenses, and more importantly, stock-pile and hide those attack techniques so that they can continue to use them. How do you fix a problem you don’t know about, when it’s in the red team’s best interest to keep that problem hidden?

If a government red team finds a new zero day flaw in commercial software, will they share it with the world so we can fix it and all be safe, or will they hold onto it for their next attack campaign, leaving the potential for other bad actors to find it and exploit the flaw as well? Do governments realize that leaving their citizens exposed to such flaws will likely affect their own country as well? I would like to think the answer is, yes, but hearing of authorities around the world exploiting blackhat hacking techniques to catch criminals makes me think otherwise.

Yes, I agree that it’s great that we caught a nasty criminal, but do you realize the public safety you might be sacrificing so the police can hang on to their favorite 0day?

In my opinion, the ends don’t always justify the means. If the means include citizens of a free democracy sacrificing privacy, freedom, and security all for the sake of some vague idea of safety that governments can never really deliver on, I say to heck with those means.

Rather, if governments are really serious about our digital security, they need to get serious about information security. They should spend their time making Apple, and all other public and private vendors’ security features stronger; they should create unbreakable encryption that protects all citizens’ communications; and they should find and plug every zero day vulnerability they can, so no terrorist or nation state can leverage it to gain asymmetric power over others.

As I believe Gibney’s documentary will illustrate (and I argued a year ago), Stuxnet opened the Pandora’s box of the cyber arms race. If we want to close that box, we should focus less on the arms and more on building better armor.

Related Content

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CoreyN293
50%
50%
CoreyN293,
User Rank: Apprentice
3/7/2016 | 8:02:51 PM
Re: John McAfee
BTW.. an update to my response that I thought McAfee's claims about hacking the iPhone 5c was all bluster... Turns out I was on to something... Anew article just came out where he said he lied about it to get more attention on the issue... I can't share the direct link, but you can find it on The Daily Dot, titled: 

John McAfee lied about San Bernardino shooter's iPhone hack to 'get a s**tload of public attention'

 


 

 
CoreyN293
50%
50%
CoreyN293,
User Rank: Apprentice
3/4/2016 | 5:28:30 PM
Re: John McAfee
I think it's all bluster... As another security expert already said, if McAfee really had someone that could crack the iPhone 5c, he'd actually use a real 5c and do a video proof-of-concept (PoC) on that phone to prove it. In other words, pics, or in this case, video or it didn't happen...

 

That said, sure it's theoretically possible that there is an vulnerability somewhere in iOS that a researcher finds one day, but until McAfee shows a PoC, I assume its all talk...
CoreyN293
50%
50%
CoreyN293,
User Rank: Apprentice
3/4/2016 | 5:24:24 PM
Re: Ends Don't Justify the Means
I actually think intelligence gathering attempts are proper in this case.

I honestly don't care about the privacy of a dead terrorist and murder... So I don't think there is anything wrong with the FBI having all the terrorist's stuff and trying to break into this phone... However, I do think asking an external third party to specifically break a security control and have to take the undue burdern of designing a special operating systems for this one case is too much...

I do care about the privacy of Apple's millions of other customers. So while the FBI does keep insisting this special firmware will only be for this one phone, I think this would set a precident for many others, which may not be as clear cut as this one terrorist case... Plus, it doesn't even discuss how much burden a private company needs to go under to support the authorities... If they do decrypt this one phone, and then authorities come to Apple with hundreds of other phone, next thing you know Apple is spending all time and money on something that is really not their business.. So besides just that fact that the existence of this technique makes everyone's phones less safe, we need to also consider the burden on a private business that had nothing to do with the attack.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/2/2016 | 8:20:15 AM
Ends Don't Justify the Means
I agree with you that in this case that the ends do not justify the means because they jeopardize the privacy of so many others. But when is intelligence gathering the proper course of action. The phone in question could harbor data that may lead to potential saving of lives, etc.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/2/2016 | 8:13:30 AM
John McAfee
Is there truth in that John McAfee interview around the ability of cracking into an iPhone. Logically what he is saying makes sense but I think he is over simplifying the process of cracking into the phone.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I'm using a 256Post-It cipher.
Current Issue
8 Key Building Blocks for Enterprise Network Defense
Networks are changing rapidly -- and so are strategies for protecting them. This Tech Digest looks at the fundamentals for the next-gen environment.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In this episode of Dark Reading Radio, veteran CISOs will share their experience and insight into how organizations can get the best bang for their security buck.