It’s medieval witchcraft, it’s genuinely medieval witchcraft

I get asked many times if I can decrypt someones files, and the answer is “Unless you have the encryption key, the answer is No”, “But…

It’s medieval witchcraft, it’s genuinely medieval witchcraft

I get asked many times if I can decrypt someones files, and the answer is “Unless you have the encryption key, the answer is No”, “But surely you have a special tool?”, “No, I have no magic wand!”.

Medieval witchcraft

After attending so many talks on cyber security, where you feel scared to leave your home, and people talking on TV about cyber hackers, and scaring people, I loved a recent talk by Dr Ian Levy from GCHQ, and where he outlined …

…world-plus-dog were trying to flog security defenses to tackle “advanced persistent threats,” usually you see photos of hoodie-cloaked blokes poised over a keyboard with Matrix -style green lettering in the background. But such figures — seen as untouchable, unbeatable, and untraceable — are chimeras, and it’s just “ adequate pernicious toe-rags” who are doing the hacking

So while Dr Ian Levy was heckled by one attendee for plans to filter content, you really had to talk note of:

“We are allowing massively incentivised companies to define the public perception of the problem”

Wow! Tell it like it is! And one of my favouriate quotes is …

“If you call it an advanced persistent threat, you end up with a narrative that basically says ‘ you lot are too stupid to understand this and only I can possibly help you — buy my magic amulet and you’ll be fine.’

Superb … it takes a bit of guts to say something like that.

And after we have spent so long in trying to articulate the problems in cyber security, and inform the general public about what cyber security is.

It’s medieval witchcraft, it’s genuinely medieval witchcraft.”

Behind his talk, too, you there’s strong message for companies:

He pointed out that a UK telco had recently been taken offline using a SQL injection flaw that was older than the hacker alleged to have used it. That’s not advanced by any stretch of the imagination,

And for companies he wants “active security”:

… active as in “getting off your arse and doing something.”

So let’s talk snake oil

There are some companies around that say they will recover files for companies who are affected with ransomware. With ransomware, the malcious program creates a unique key to encrypt files on a system. This key is then passed back to the cybercriminal using their public key. The cybercriminal then decrypts the unique key with their private key, and then sits and waits for the ransom to be paid.

Such an easy crime. And so should companies just pay? Well there are many ethical and political issues in just paying the ransom, so quite a few companies get a security company to analyse and try and recover their files. Recently Renee Dudley and Jeff Kao — from Propublica — analysed two “don’t pay ransom” companies, Proven Data and MonsterCloud:

Shockingly they found that the companies had very little in place to actually decrypt the files — as it is almost impossible to do this — and much of the time they just paid the ransom and then gained the keys. In fact, it is alleged, that they had a long-term relations with the ransomware criminals.

There was no magic wand, as there can’t be one!

The only way to crack this is to get the key store of the cybercrimal and their private key.

Conclusions

It’s medieval witchcraft, it’s genuinely medieval witchcraft.”