Information Technology and Ethics/Encryption/Cryptography and Privacy
The USA has had a long history with cryptography which started out as something used primarily by government agencies and not widely available to the public. The US and other allies have numerous signals intelligence gathering operations which attempt to monitor electronic communications. These principals of some of these intelligence programs can be traced back to WW2 when the Allies designed systems to break the Enigma encryption used by the Axis powers.
Claude Shannon is arguably the father of contemporary cryptography. His works, "Communication Theory of Secrecy Systems" and "Mathematical Theory of Communication" (in conjunction with Warren Weaver) informed and shaped that face of cryptography as we understand it now.
The 1970's changed the face of cryptography by the release of cryptography safety standards for business and large organization communications. This signaled a shift of cryptography from the private to public sphere.
Types of Cryptography
Also referred to as public-key cryptography/ encryption, asymmetric refers to the fact that one party will have a "secret key" called a private key, and the other will have a public key. The private key is the only key that can be used to decrypt data, whereas those with public keys can only encrypt data to be received by the owner of the private key.
Also called private key cryptography/ encryption, symmetric cryptography, in contrast to asymmetric, uses a single "secret" key, shared between two or more users, to encrypt plain text and decrypt cipher text. The disadvantage is that all users in the connection need to have the same secret key, which generally requires a separate method for key exchange often using asymmetric cryptography.
Also known as one-way encryption, hashing acts as a "digital finger-print" for identification purposes, and cannot be decrypted.
Email encryption is a combination of asymmetric and symmetric encryption. The message is encrypted used symmetric encryption and the key used in symmetric encryption is encrypted using asymmetric encryption. Some types of email encryption include S/MIME (Secure Multipurpose Internet Mail Extensions), PGP/MIME, MOSS (MIME Object Security Services) and MSP (Message Security protocol)
Identity Verification and Encryption
Asymmetric cryptography is important in the case of identity verification in the sense that a party can validate who they are interacting with. An example of this would be HTTPS, which uses a certificate system in order to verify the identity of a server in order to prevent man-in-the-middle attacks. Asymmetric cryptography is often used in this situation for establishing a secure communications channel which will then use symmetric cryptography for the actual communications.
There has long been controversy when it comes to government involvement in cryptography. Back in 1993 it was revealed that the Government was developing a key escrow system so that they would be able to decrypt mobile communications by using a built in backdoor. This system was implemented in the Clipper chip which was widely criticized by the public at the time and ultimately failed to gain adoption. More recently this debate has resurfaced in the case of the FBI and Apple, recently there was a case where the FBI asked Apple to build a modified version of their operating system that would essentially have a backdoor that could allow for an iphone password to be brute forced. Many have theorized that the FBI is ultimately trying to set a precedent to prevent Apple from developing more secure versions of the encryption technology that even Apple can't break.
There are a number of different ways to exploit cryptographic systems ranging from brute force attack on weak keys to exploiting implementation flaws in the software itself. Cryptographic systems are notoriously hard to build correctly which has led to the common saying “don't roll your own crypto” becoming common. Some cryptographic algorithms have been intentionally designed to have backdoors as well such as the NSA designed Dual_EC_DRBG. There has also been pressure from governments to integrate backdoors into encryption systems so that law enforcement can decrypt any data they want to.
Heartbleed was a widely publicized and critical vulnerability in the OpenSSL cryptographic library that resulted in leaking of private keys and potentially other information in RAM on servers. It allowed for the widespread decryption of https traffic and it has been theorized that the NSA was aware of this vulnerability.
Zero-Day refers to vulnerabilities being exploited within the time between an exploit is known discovered and the time a security patch is released. They got the name because you have zero days to patch them before they can be exploited.
This case set a precedent for 5th Amendment protection in the case of forced decryption. Two laptops and five external hard drives were seized from a Florida man’s home by the FBI, however, they were unable to view the information stored due to encryption. When asked to decrypt the data, the man “invoked his Fifth Amendment privilege”. The 11th U.S. Circuit Court of Appeals ruled: “the act of decrypting data is testimonial” and consequently protected.
A federal district court in Colorado wanted to force Ramona Fricosu, who was under investigation for fraudulent real estate transactions to enter the password to her encrypted laptop. She was granted some leeway by officials that not all of her data would be used against her- but there were no guarantees regarding what was “fair game”.
In 2011, an amicus brief was issued that stated that asking her to do so would be anti-constitutional as it basically forces her to be a witness against herself. In 2012, a court ruled that she could be forced to decrypt the laptop.
This case has historical significance regarding the exportation of encryption software overseas, as well as upholding the precedent that software source code is protected under the first amendment.
Junger was a professor at Case Western Reserve University who was told that he could not have non-US citizens in his upcoming Computer Law class because of the strict restrictions on US encryption software.
Bernstein has been challenging the courts regarding the export of cryptography software since 1995. His initial case set the precedent that software (even encryption software) should be protected under the first amendment. He continues to battle the government in court regarding export law and works as a professor at the University of Chicago.
Current and Recent Affairs
On Tuesday April 26th, 2015, infamous whistleblower Edward Snowden took part in the first public debate on encryption with CNN journalist Fareed Zakaria.
He argued, the “security of the Internet is more important than the convenience of law enforcement.” By the end of the debate, Zakaria said he did not support the legislation proposed by Sens. Richard Burr, R-N.C., and Dianne Feinstein, D-Calif., which would mandate companies to immediately decrypt all communications when asked by a court.
This issue continues to be a point of an ethical point of contention in the IT community.
Days before a scheduled court appearance in response to the Sand Bernardino shootings, the FBI has dropped their case against Apple. The FBI says they bought a hacking tool for $1.3m which allowed them to exploit a weakness and break into gunman Syed Farook's phone. They have not disclosed what this weakness may be. However, this raises the question as to whether or not the theoretical idea of a "backdoor" has in fact become a reality. With this on the line, encryption software is becoming a more prominent topic in the news. Especially as we examine all of the potential ethical implications and cyber security threats.
WannaCry Ransomware Attack
The use of encryption tools had been questioned after the devastating ransomware attack in 2017. This attack encrypted the user information by breaching into his/her system and demanded huge ransom amounts for releasing the decryption keys. Some cases had been noticed saying no keys were released even after paying huge ransom. The attack had been carried out by scanning vulnerable TCP 445 port. This port was found vulnerable in many windows operating systems. A famous exploit called “eternal blue” was already available in the internet. This attack used this vulnerability and breached into the system. Upon breaching into the system, it encrypted user files and demanded ransom through bitcoin cryptocurrency. This malware was identified by the names wcry, WCRY and WNCRY. This malware not only encrypted user files but opened backdoors to remote servers and injected other malwares. Even though microsoft came up with patches for this vulnerability, they were unable to decrypt the files and close the backdoors. This incident lead to a serious discussion about use of encryption. Though, encryption was designed for positive cause, when used for negative purpose caused financial and reputational loss to many organizations. Counter measures were being developed to prevent this attack but still the attackers are successful in breaching and encrypting the user information.
Secure Passwords Passwords are close to, if not, the number one peice of information you need to keep protected as a user since it all a hacker may need to gain access to your account. This is because things such as your email is possibly already public. To choose a secure password, create one that has about 30 characters with a mix of letters (upper case and lower case), symbols, and numbers so scripts that can guess passwords will not figure your password out.
Turning On Two Factor Wherever possible, use two factor authentication. This is something such as inputting your phone number and receiving an SMS code to verify that it is you logging into your account. This is done because routing SMS texts from phone numbers is difficult to do.
Updating Software Users tend to put off software updates as they don’t exactly love change but software updates have vital fixes in code that repair possible security flaws in a system.
Protection Against Phishing Scams As we learned, Phishing Scams are cyber attempts to steal information from users by disguising things such as emails as trusted sources. Tips to catch one of these scams are to always verify the email address sending the request for information and check spelling and grammar in the email for accuracy.
- Cryptography. (n.d.). Retrieved April 28, 2016, from http://ethw.org/Cryptography
- Kessler, G. C. (2016, March 31). An Overview of Cryptography. Retrieved April 28, 2016, from http://www.garykessler.net/library/crypto.html#hash
- Lord, N. (2019). What is Email Encryption? Definition, Best Practices & More. Retrieved from https://digitalguardian.com/blog/what-email-encryption
- Riley, M. (2014, April 11). NSA Said to Have Used Heartbleed Bug, Exposing Consumers. Bloomberg Business.
- Security News. (n.d.). Retrieved April 28, 2016, from http://www.pctools.com/security-news/zero-day-vulnerability/
- Electronic Frontier Foundation. (n.d.). Retrieved April 28, 2016, from https://www.eff.org/
- McLaughlin, J. (2016, April 26). Snowden Debates CNN's Fareed Zakaria on Encryption. Retrieved April 28, 2016, from https://theintercept.com/2016/04/26/snowden-debates-cnns-fareed-zakaria-on-encryption/
- Yadron, D. (2016, April 27). FBI confirms it won't tell Apple how it hacked San Bernardino iPhone. Retrieved April 28, 2016, from https://www.theguardian.com/technology/2016/apr/27/fbi-apple-iphone-secret-hack-san-bernardino
- Sahi, S. K. (2017). A Study of WannaCry Ransomware Attack. International Journal of Engineering Research in Computer Science and Engineering, 4(9)
- Topics You Should Learn About. (n.d.). Retrieved from https://community.norton.com/en/blogs/norton-protection-blog/7-most-important-cyber-security-topics-you-should-learn-about