Sometimes It Feels Like Only Cybercrimals Know How To Use Encryption Properly
Sometimes It Feels Like Only Cyber Criminals Know How To Use Encryption Properly
By the day, we see the poor implementation of encryption by companies and where sensitive information such as passwords and credit card details are not properly encrypted. The term “partially encrypted” has even been used to report on the Talk Talk and Equifax data breaches, and what that actually means is beyond me.
Encrpytion is increasingly used by cybercrimals in order to both obfuscate activities and also to lock down data (such as with ransomware). Within the BA hack we saw cyber criminals setting up an encryption tunnel and avoiding detection from network scanners.
Sometimes, too, it seems that cyber criminals seems to understand how to use encryption, and where its implementation across the industry is often poor.
Increasingly we must encrypt data at its source — and use end-to-end encryption — and not rely on network tunnels to protect it. Unfortunately, few developers implement any encryption within the browser, and where we are increasingly faced with browser hi-jacks, such as in the BA and Ticketmaster hacks.
One way that an intruder can get past the email scanner is to encrypt the contents on the email. The following shows an encrypted email using JavaScript:
The following shows the HTML in the email:
<html><head><script src='imgs/owa.js'></script><script>
var hea2p =
('0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz');
var hea2t =
'XwHq/n3w [...] yFz/19lQ==';
var output = Aes.Ctr.decrypt(hea2t, hea2p, 256);
document.write(output)</script></head></<html>
You can see that it has a Base64 message, which contains the AES crypto (hea2t) and the key (hea2p). This uses a 256-bit key, and the encrypted message is in hea2t and the password, from which the 256-bit key is generated from, is “012345678….xyz”. This does enough to trick the email filtering system.
The owa.js file contains the crypto Javascript. The library was not written for malicious purposes, but has been integrated by the spammer:
No excuses not to encrypt
There’s no real excuse not to apply encryption at the data layer. The tools are there, and your browser will quite happily run hashing methods (MD5, SHA-1, SHA-256 and SHA-3), block encryption (AES and 3DES), stream encryptin (RC4 and Rabbit), and signing (HMAC-MD5, HMAC-SHA-256). One of the most popular JavaScript integration methods is CryptoJS:
JavaScript Encryption with CryptoJS
function t1(message) { var digest = CryptoJS.MD5(message); document.getElementById("hash").innerHTML = "Type:\t\tMD5"…asecuritysite.com
function t1(message) { var digest = CryptoJS.MD5(message); document.getElementById("hash").innerHTML = "Type:\t\tMD5"…asecuritysite.com
The code implemented is (using CryptoJS v3.1.2):
<script type="text/javascript" src="/scripts/md5.js"></script>
<script type="text/javascript" src="/scripts/sha1.js"></script>
<script type="text/javascript" src="/scripts/sha3.js"></script>
<script type="text/javascript" src="/scripts/sha256.js"></script>
<script type="text/javascript" src="/scripts/sha512.js"></script>
<script type="text/javascript" src="/scripts/aes.js"></script>
<script type="text/javascript" src="/scripts/rabbit.js"></script>
<script type="text/javascript" src="/scripts/hmac-md5.js"></script>
<script type="text/javascript" src="/scripts/hmac-sha1.js"></script>
<script type="text/javascript" src="/scripts/hmac-sha3.js"></script>
<script type="text/javascript" src="/scripts/hmac-sha256.js"></script>
<script type="text/javascript" src="/scripts/pbkdf2.js"></script>
<script type="text/javascript" src="/scripts/rc4.js"></script>
<script type="text/javascript" src="/scripts/ripemd160.js"></script>
<script type="text/javascript" src="/scripts/tripledes.js"></script>
<script type="text/javascript">
function t1(message) {
var digest = CryptoJS.MD5(message);
document.getElementById("hash").innerHTML = "Type:\t\tMD5";
document.getElementById("hash").innerHTML += "\nMessage:\t" + message;
document.getElementById("hash").innerHTML += "\nHex:\t" + digest;
document.getElementById("hash").innerHTML += "\nBase64:\t" + CryptoJS.enc.Base64.parse(String(digest));
}
</script>
<script type="text/javascript">
function t2(message) {
var digest = CryptoJS.SHA1(message);
document.getElementById("hash").innerHTML = "Type:\t\tSHA1";
document.getElementById("hash").innerHTML += "\nMessage:\t" + message;
document.getElementById("hash").innerHTML += "\nHex:\t" + digest;
document.getElementById("hash").innerHTML += "\nBase64:\t" + CryptoJS.enc.Base64.parse(String(digest));
}
</script>
<script type="text/javascript">
function t3(message) {
var digest = CryptoJS.SHA256(message);
document.getElementById("hash").innerHTML = "Type:\t\tSHA256";
document.getElementById("hash").innerHTML += "\nMessage:\t" + message;
document.getElementById("hash").innerHTML += "\nHex:\t" + digest;
document.getElementById("hash").innerHTML += "\nBase64:\t" + CryptoJS.enc.Base64.parse(String(digest));
}
</script>
<script type="text/javascript">
function t3b(message) {
var digest = CryptoJS.SHA512(message);
document.getElementById("hash").innerHTML = "Type:\t\tSHA256";
document.getElementById("hash").innerHTML += "\nMessage:\t" + message;
document.getElementById("hash").innerHTML += "\nHex:\t" + digest;
document.getElementById("hash").innerHTML += "\nBase64:\t" + CryptoJS.enc.Base64.parse(String(digest));
}
</script>
<script type="text/javascript">
function t3a(message) {
var hash1 = CryptoJS.SHA3(message, { outputLength: 224 }).toString();
var hash2 = CryptoJS.SHA3(message, { outputLength: 256 }).toString();
var hash3 = CryptoJS.SHA3(message, { outputLength: 384 }).toString();
var hash4 = CryptoJS.SHA3(message, { outputLength: 512 }).toString();
document.getElementById("hash").innerHTML = "Type:\t\tSHA3 (Keccak)";
document.getElementById("hash").innerHTML += "\nMessage:\t" + message;
document.getElementById("hash").innerHTML += "\nHex (224-bit):\t" + hash1;
document.getElementById("hash").innerHTML += "\nHex (256-bit):\t" + hash2;
document.getElementById("hash").innerHTML += "\nHex (384-bit):\t" + hash3;
document.getElementById("hash").innerHTML += "\nHex (512-bit):\t" + hash4;
}
</script>
<script type="text/javascript">
function t3c(message) {
var digest = CryptoJS.RIPEMD160(message);
document.getElementById("hash").innerHTML = "Type:\t\tRIPEM160";
document.getElementById("hash").innerHTML += "\nMessage:\t" + message;
document.getElementById("hash").innerHTML += "\nHex:\t" + digest;
document.getElementById("hash").innerHTML += "\nBase64:\t" + CryptoJS.enc.Base64.parse(String(digest));
}
</script>
<script type="text/javascript">
function t4(message, password) {
var crypted = CryptoJS.AES.encrypt(message, password);
var plain = CryptoJS.AES.decrypt(crypted, password);
document.getElementById("hash").innerHTML = "Type:\t\tAES";
document.getElementById("hash").innerHTML += "\nMessage:\t" + message;
document.getElementById("hash").innerHTML += "\nPassword:\t" + password;
document.getElementById("hash").innerHTML += "\nEncrypted:\t" + crypted;
document.getElementById("hash").innerHTML += "\nDecrypted:\t" + plain.toString(CryptoJS.enc.Utf8);
}
</script>
<script type="text/javascript">
function t5(message, password) {
var crypted = CryptoJS.Rabbit.encrypt(message, password);
var plain = CryptoJS.Rabbit.decrypt(crypted, password);
document.getElementById("hash").innerHTML = "Type:\t\tRabbit";
document.getElementById("hash").innerHTML += "\nMessage:\t" + message;
document.getElementById("hash").innerHTML += "\nPassword:\t" + password;
document.getElementById("hash").innerHTML += "\nEncrypted:\t" + crypted;
document.getElementById("hash").innerHTML += "\nDecrypted:\t" + plain.toString(CryptoJS.enc.Utf8);
}
</script>
<script type="text/javascript">
function t6(message, password) {
var crypted = CryptoJS.RC4.encrypt(message, password);
var plain = CryptoJS.RC4.decrypt(crypted, password);
document.getElementById("hash").innerHTML = "Type:\t\tRC4";
document.getElementById("hash").innerHTML += "\nMessage:\t" + message;
document.getElementById("hash").innerHTML += "\nPassword:\t" + password;
document.getElementById("hash").innerHTML += "\nEncrypted:\t" + crypted;
document.getElementById("hash").innerHTML += "\nDecrypted:\t" + plain;
}
</script>
<script type="text/javascript">
function t6b(message, password) {
var crypted = CryptoJS.DES.encrypt(message, password);
var plain = CryptoJS.RC4.decrypt(crypted, password);
document.getElementById("hash").innerHTML = "Type:\t\t3DES";
document.getElementById("hash").innerHTML += "\nMessage:\t" + message;
document.getElementById("hash").innerHTML += "\nPassword:\t" + password;
document.getElementById("hash").innerHTML += "\nEncrypted:\t" + crypted;
document.getElementById("hash").innerHTML += "\nDecrypted:\t" + plain;
}
</script>
<script type="text/javascript">
function t7(message, password) {
var hash = CryptoJS.HmacMD5(message, password);
var output = hash.toString(CryptoJS.enc.Hex);
document.getElementById("hash").innerHTML = "Type:\t\tHMAC-MD5";
document.getElementById("hash").innerHTML += "\nMessage:\t" + message;
document.getElementById("hash").innerHTML += "\nPassword:\t" + password;
document.getElementById("hash").innerHTML += "\nHex:\t" + output;
document.getElementById("hash").innerHTML += "\nBase64:\t" + CryptoJS.enc.Base64.parse(String(output));
}
</script>
<script type="text/javascript">
function t8(message, password) {
var hash = CryptoJS.HmacSHA1(message, password);
var output = hash.toString(CryptoJS.enc.Hex);
document.getElementById("hash").innerHTML = "Type:\t\tHMAC-SHA1";
document.getElementById("hash").innerHTML += "\nMessage:\t" + message;
document.getElementById("hash").innerHTML += "\nPassword:\t" + password;
document.getElementById("hash").innerHTML += "\nHex:\t" + output;
document.getElementById("hash").innerHTML += "\nBase64:\t" + CryptoJS.enc.Base64.parse(String(output));
}
</script>
<script type="text/javascript">
function t9(message, password) {
var hash = CryptoJS.HmacSHA512(message, password);
var output = hash.toString(CryptoJS.enc.Hex);
document.getElementById("hash").innerHTML = "Type:\t\tHMAC-SHA512";
document.getElementById("hash").innerHTML += "\nMessage:\t" + message;
document.getElementById("hash").innerHTML += "\nPassword:\t" + password;
document.getElementById("hash").innerHTML += "\nHex:\t" + output;
document.getElementById("hash").innerHTML += "\nBase64:\t" + CryptoJS.enc.Base64.parse(String(output));
}
</script>
<script type="text/javascript">
function t9a(message, password) {
var hash = CryptoJS.HmacSHA3(message, password);
var output = hash.toString(CryptoJS.enc.Hex);
document.getElementById("hash").innerHTML = "Type:\t\tHMAC-SHA3";
document.getElementById("hash").innerHTML += "\nMessage:\t" + message;
document.getElementById("hash").innerHTML += "\nPassword:\t" + password;
document.getElementById("hash").innerHTML += "\nHex:\t" + output;
document.getElementById("hash").innerHTML += "\nBase64:\t" + CryptoJS.enc.Base64.parse(String(output));
}
</script>
<script type="text/javascript">
function t10(message) {
salt = CryptoJS.lib.WordArray.random(128 / 8);
var key128Bits = CryptoJS.PBKDF2(message, salt, { keySize: 128 / 32 });
var key256Bits = CryptoJS.PBKDF2(message, salt, { keySize: 256 / 32 });
var key512Bits = CryptoJS.PBKDF2(message, salt, { keySize: 512 / 32 });
// var key512bit1000 = CryptoJS.PBKDF2(message, salt, 64, { iterations: 1000 });
document.getElementById("hash").innerHTML = "Type:\tBBKDF2";
document.getElementById("hash").innerHTML += "\nMessage:\t" + message;
document.getElementById("hash").innerHTML += "\nSalt:\t\t" + salt;
document.getElementById("hash").innerHTML += "\n128-bit:\t" + String(key128Bits);
document.getElementById("hash").innerHTML += "\n256-bit:\t" + String(key256Bits);
document.getElementById("hash").innerHTML += "\n512-bit:\t" + String(key512Bits);
// document.getElementById("hash").innerHTML += "\n512-bit (1000:\t" + key512bit1000;
}
</script>
Conclusion
We need to increasingly use encryption at the data layer, and make sure we do not just use encryption tunnels.