Data Security and Computer Forensics: Part 1

data and security accounting firm

By Daniel Hains 

For the past decade, data security and online privacy has been a topic of much debate and scrutiny and the discussion will continue for the foreseeable future.  The use and misuse of our electronically stored information has arisen time and again.

When cloud storage first emerged, users were largely sceptical of the security of their information.  Even in the early stages of this technology, it became apparent that Users’ data was being stored somewhere outside of their perceived control.  Lack of understanding and distrust in new technology meant that there was initially some avoidance and slow uptake rates on cloud storage

Current evidence based on rates of adoption suggest that now, when we provide personal information to websites such as Banks, government and social media, we are more comfortable with cloud data arrangements and assume that our private information is sent and stored securely.  We may be happy putting a PIN on our digital devices for the same reason: to prevent unwanted access by others.

Part 1 in this Data Security and Computer Forensics Series will look at the mechanism for ensuring the security of our electronically stored information (“ESI”) is known as Encryption:

What is encryption?

Encryption is the process of converting information from a readable format into unreadable data, but doing so in a way that allows the data to be returned to its original state with proper techniques.  To the untrained eye, data that has been encrypted on a computer system will appear simply as random data and perhaps ignored in favour of more readily accessible (i.e. unencrypted) information.

A common method of digital encryption is the Diffie-Hellman key exchange, which is the process of using public and private ‘keys’ to generate a shared secret key using complex mathematical algorithms.  This shared secret key is then used to rearrange the digital ‘bits’ of your information so that it becomes unreadable.  The only way to rearrange the bits back to their original state is with the shared secret key.

The operation of encryption is the same as that of a physical lock – simple in one direction (that is, to ‘lock’ the data) but extremely complex in the other direction (i.e. a key is required to unlock the data).

The public key is exactly that, public.  The private key is the important second half of the puzzle, and should only ever be known by the person to whom it belongs.  In normal use, if you were to send information to another party using encryption, you would use your private key and the receiving party’s public key to generate the shared secret key and perform the encryption.  The receiving party then uses their private key and your public key, which results in the same shared secret key, to decrypt the information back its original state.

Without the correct pair of public and private keys, the information cannot be decrypted.  This is the key to encryption.

Hashing – one-way encryption

Another method of storing information, in particular passwords, in a usable but unreadable format is in the form of a “hash”.  A password table is a classic use of hashing technique.  A complex mathematical algorithm is applied to a password to convert it into a set of alpha-numeric characters.

Once again, the concept of a ‘lock’ applies such that this process is easy to perform in the primary direction, but nearly impossible to do the reverse, i.e. convert a hash back to a password, without knowing the method by which they were originally hashed.  When an application (such as a website) checks if a password is valid, it applies the same hashing algorithm to the password entered and checks if the resulting hash matches the hash stored for authentication.

A number of online data breaches have been the result of performing ‘brute force’ or ‘dictionary’ attacks on these password hashes.  Since trying to reverse the hash is an exercise in futility, hackers will throw vast combinations of letters, numbers and symbols at the hashed password, using the same mathematical algorithm, in the hope that one of the resulting combinations produces a hash that matches[1].  If it does, they now know your password.[2]

This process is behind the well-known advice to use complex passwords; however, hackers are becoming increasingly clever.  Hackers understand the general patterns or rules that Users apply to create a password: for example; replace the letter ‘o’ with a zero, the first letter is usually capitalised and there is often a year at the end. Applying these rules can greatly reduce the time required to hack a complex password.

How does Ransomware work?

There has been a lot of media coverage about “ransomware” attacks on computers. In fact, it is likely that you or someone you know has been a victim of such an attack.  The most well-known variant of ransomware attack is the “CryptoLocker” variant.  Recently, there have been two new instances of crypto viruses known by names such as “WannaCry” and “NotPetya”.

Ransomware works by tricking you into allowing the attack onto your computer, usually by opening a seemingly harmless email attachment.  Malicious code ‘encrypts’ your information so that you can no longer access your documents, photos and other information until you pay the attackers a ransom, usually in the form of a digital currency called Bitcoin.  The success of these attacks relies on the fact that once your information has been encrypted, no one except the attackers can ‘decrypt’ your information back to its original state.

How does Ransomware utilise Encryption?

Ransomware deviates from normal encryption use by self-generating your public and private keys, encrypting your information, and then stealing your private key and storing it elsewhere so that you cannot access your information. Upon paying the ransom, the attackers purport to give you back your private key so that you can decrypt your information again.

Encryption is becoming a mainstream part of communications and technology.  As with most technology it can be put to good use, such as securing your credit card information when you make online purchases.  Conversely, it can also be used to secure communications between parties or organisations, or used against you by scrambling your information beyond recovery.

Issues with encryption

Encryption doesn’t always work as intended though.  Certain implementations can sometimes be bypassed, as evidenced by the recent breaches of personal information from websites such as Yahoo![3] and Ashley Madison[4]. In other cases, encryption can be used by ‘ransomware’ viruses to encrypt your information and withhold the decryption keys until you pay a ransom.  Encryption is also used by terrorist organisations to secure their communications from authorities.

More recently, Prime Minister Turnbull has begun pushing for legislation to be implemented by the end of 2017 that will force phone manufacturers and secure messaging providers (for example, WhatsApp, Wickr) to provide access to encrypted devices and communications for law enforcement agencies, but without weakening encryption or implementing a government ‘back door’ function.  Similar legislation already exists in the UK under the Investigatory Powers Act.[5]

Improvements in mobile device encryption

Apple has improved its products to provide ever stronger encryption measures to appease its customers.  From the original iPhone up to the iPhone 4, commercial tools were available to law enforcement and forensic practitioners that bypassed the security mechanisms used to protect the phone’s information.  Apple suffered public derision when these workarounds become more widely known and subsequently changed their encryption methods.

From the iPhone 4S onwards, Apple implemented better hardware and software encryption capabilities.  While this closed the loopholes that allowed commercial tools to work, the ongoing game of cat and mouse continued and companies such as Cellebrite were able to engineer methods to continue to bypass the new security measures, albeit at significant cost.[6]

Previously, at least since the iPhone 4S models, Apple iPhones remained completely secure, however it appears Cellebrite now offer unlocking services for even the latest mobile devices to law enforcement agencies with valid warrants.[7]

Stay tuned for Part 2 in the series – where we take a look at a case study and it’s implications, alternative sources of information and defending the security of your data… 

References

  • [1] Even if a common hashing method is used (MD5 / Sha1), a website may use a ‘salt’ which adds a random piece of information to each password before hashing, thereby adding a layer of complexity and making reverse engineering more difficult in the event of hacking.
  • [2] https://www.wired.com/2016/06/hacker-lexicon-password-hashing/
  • [3] https://www.wired.com/2016/12/yahoo-hack-billion-users/
  • [4] https://www.oaic.gov.au/privacy-law/commissioner-initiated-investigation-reports/ashley-madison
  • [5] http://www.theage.com.au/federal-politics/political-news/apple-flies-in-top-executives-to-lobby-turnbull-government-on-encryption-laws-20170719-gxebvn.html
  • [6] http://www.cellebrite.com/Pages/services
  • [7] http://go.cellebrite.com/cais_unlock

Want to know more?

If you would like to know more about data security and computer forensics, please contact Forensic Services Director Dan Hains.

An Important Message

While every effort has been made to provide valuable, useful information in this publication, this firm and any related suppliers or associated companies accept no responsibility or any form of liability from reliance upon or use of its contents.  Any suggestions should be considered carefully within your own particular circumstances, as they are intended as general information only.

 

 

Related Posts
dashboard Reportinginsolvency accounting firm sydney