Jamie Douglas
All expats, all over the world, regardless of where they are from and where they are at, have to deal with financial institutions. Those of us who have internet access at home or in public places have always been assured that our transactions were secured by something called SSL Encryption, a method, we have been assured by “experts,” was inviolable. Or so we were told.
Now, in the same month that the CIA has been hacked, researchers, those of the mathematical type as well as super smart cryptographers, have discovered an apparent series of flaws that allow malicious users of the internet to break the code, which when used properly make it theoretically impossible to intercept the flow of information between two encoded correspondents. Yet it is being intercepted and used to generate random numbers.
The chances of your being affected are very small – 2 in 1000. That, taking into account the hundreds of millions of online transactions taking place daily, opens up a giant window of opportunity for the hackers in Eastern Europe, Israel, and China. Our entire faith in the SSL system rests on the assumption that it is inviolable.
For expats or anyone else conducting financial transactions over the internet, there is nothing you can do. The ball lands squarely in the court of the big site operators, sites like Amazon.com, all large financial institutions, the IRS, and other nations’ equivalent thereof. Every individual is a potential victim of this weakness in the system, without having the slightest ability to protect themselves, other than cessation of use of the modern world that brings us online banking and shopping.
These discoveries were originally slated to be published at a cryptographer conference this coming August in Santa Barbara, California; however the urgency of the discovery raised such serious issues that a decision was made to release the findings immediately. The researchers, including the highly respected Dutch mathematician Arjen K. Lenstra, the renowned professor at the École Polytechnique Fédéral de Lausanne in Switzerland, used the Euclidian algorithm to examine the public key numbers, and they were able to prove that a small amount of those randomly generated numbers were not so random after all.
In their publicly released findings, they stated that there are almost 27,000 keys that offer no security. “Their secret keys are accessible to anyone who takes the trouble to redo our work” The original work was enabled by the fact that there were databases of the publicly available keys, which were kept at the Massachusetts Institute of Technology as well as the Electronic Frontier Foundation.
Another of the researchers, James P. Hughes, a cryptanalyst who worked with the group insisted: “…we were very careful: we did not intercept any traffic and we did not sniff any networks. We went to databases that contained public information and downloaded the public keys.”
They point out that their lack of sophisticated methods make it that much more likely that some malicious hackers have discovered the flaws in the random number generators some time before they did. “The quagmire of vulnerabilities that we waded into makes it infeasible to properly inform everyone involved, though we made the best effort to inform the larger parties and contacted all email addresses recommended or specified in still valid certificates. The fact that most certificates do not contain adequate contact information limited our options. Our decision to make our finding public at this time, despite our inability to directly notify everyone, was a judgment call.”
And a very good one I might add. With the publicity surrounding this issue, it is highly unlikely that any corporate IT security department will ignore this, and I am sure that a lot of midnight oil will be burnt from Berlin to Bangalore until this problem will be patched.
And what can you do to protect yourself? Tell your in-house IT guy or gal to make sure that all the algorithms are in a randomly disarranged row.
With this, I have done my job to disseminate this information to you. Please pass it on.
Jamie Douglas
No comments:
Post a Comment
All comments are moderated.