The Roots of Modern Cryptography: Uncovering 16th Century Crypto Skullduggery.

S3 Ep137: 16th century crypto skullduggery

The recent episode of Naked Security podcast discussed a ransomware attack against a technology company in Oxfordshire, England. One of their defensive team members, who was supposed to be helping to deal with the attack, decided to hijack the ransomware payment. He managed to start emailing his employer from home, using a sort of typosquat email account that was like the crook’s email address. He hijacked the email thread, changed the Bitcoin address in the historical email traces, and began negotiating as a man-in-the-middle.

However, things didn’t go as planned. The company decided not to pay up, which left the insider with no Bitcoin to steal and cut-and-run. Additionally, he did not hide his traces very well, and his unlawful access to the email logs then came out in the wash.

The 16th-century inspiration

The episode also referenced Mary Queen of Scots and Queen Elizabeth I’s religious and political rivalry during the 1580s. In those times, Mary was living in some luxury, but confined to a castle, and was actually plotting against her cousin, Queen Elizabeth I, but they couldn’t prove it. Mary was sending and receiving messages stuffed into the bungs of beer barrels delivered to the castle. The man-in-the-middle was a compliant beer supplier who would remove the messages before Mary got them, so they could be copied. And he would insert replacement messages, encrypted with Mary’s cipher, with subtle changes that eventually persuaded Mary to put in writing more than she probably should have. She not only gave away the names of other conspirators, but also indicated that she approved of the plot to assassinate Queen Elizabeth.

Protecting Against Insider Threats

The recent instance of a cybersecurity insider attempting to ransom their employer highlights the importance of protecting against insider threats. Three key measures to protect against such threats are:

Divide and Conquer

Divide your responsibility, authority, and access policies between different people to ensure that one person doesn’t have unfettered access to everything in case the individual turns out to be untrustworthy or becomes a criminal target.

Keep Immutable Logs

Immutable network logs can serve as evidence proving that access was inappropriate or that changes were made to transactions in logging.

Always Measure, Never Assume

Do not assume that employees are trustworthy. It is better to always have measures in hand to detect abuse and mitigate its effects.

OAUTH Authentication Vulnerabilities

The podcast further discusses an authentication vulnerability discovered in an app-building toolkit called Expo. SALT, a web-coding security analysis company, found this vulnerability. Expo supports OAUTH, which is used as a means to support the login process for social media accounts such as Google, Facebook, or Apple.

Exploiters could side-step the normal client-side-script by crafting their server-side script, actively constructing links so that targets could visit the URL without prompts, and dismiss authentication dialogues.

Three tips for protecting oneself from OAuth authentication vulnerabilities:

FailClosed Authentication Checks

Your authentication checks should have a ‘fail-closed’ functionality, that is, a procedure where the authentication process falls to a default if verification fails.

Verification Process

It is important not to solely rely on the client-side-code to verify that all is legitimate. There are other ways that subversive code could cause a return authorization code to be generated and passed down to the app (bypassing the authentication process altogether).

Logging Out of Web Accounts

Always remember to log-out of web accounts when finishing