We Need To Get Better At Security!

Imagine if an electrical engineer found a fault in the wiring in your house, but said, “You have a fault, but it’ll take me 10 months to…
Photo by Bernard Hermant on Unsplash

We Need To Get Better At Cybersecurity!

Imagine if an electrical engineer found a fault in the wiring in your house, but said, “You have a fault, but it’ll take me 10 months to fix it!”, and then walked away, and said, “I’ll be back in 10 months time”.

Now imagine, if the electrical engineer did not understand Ohm’s Law, and where you couldn’t trust them to even wire a plug. Well, in computer security, one of the weakest areas for the profession is in encryption, and where the majority of security professionals would struggle to get past the basics of symmetric key encryption, and then lose it when it comes to the basics of PKI. At the core of the problem, too, is the general lack of understanding of encryption by software developers, and where security is seen as an after-thought.

This problem was highlighted this week by a bug found in some of Fortinet’s products, and where a hard-coded encryption key was used to pass information from a device to a central server. This used an XOR operation and a static key. The discovery of the key is basically done by taking the cipher, and XOR’ing it with the original message:

Key = Cipher XOR (Message)

and that’s it. Once the key is known, every other cipher is then cracked! The packages which had the weaknesses included data on Web filtering, email and antivirus information.

Overall the weakness was found in May 2018 (by Stefan Viehböck,from SEC Consult), but has since not been fixed. The key was finally removed in May 2019, but where it took 10 months to update the latest product range, and another eight months to update older products.

XOR challenge

If you want to examine the XOR operator, I have created a challenge here (go to Q60). Here is one for you to crack:

60. What is the XOR cipher for the cipher bitstream of (with a repeated key of ‘a’ — 0x61 or 0110 0001b): 00010010 00010001 00000000 00000101 00000100

Additional information:

The bitwise operation we use is Z=A XOR B:
A B Z
-----
0 0 0
0 1 1
1 0 1
1 1 0
If we use an 'a' (0110 0001) and plain text of "shape" we get:
          's'       'h'     'a'       'p'      'e'
Input:  01110011 01101000 01100001 01110000 01100101
Key:    01100001 01100001 01100001 01100001 01100001
---------------------------------------------------
Cipher  00010010 00001001 00000000 00010001 00000100
If we use an 'a' (0110 0001) again we get:
Input:  00010010 00001001 00000000 00010001 00000100
Key:    01100001 01100001 01100001 01100001 01100001
---------------------------------------------------
Decoded 01110011 01101000 01100001 01110000 01100101
          's'       'h'    'a'       'p'      'e'

Conclusions

We need to get better as a profession - both generally for cybersecurity and for software developments — at encryption, as it’s the lowest level of defense that we can create. To use a static key with an XOR operation, is just sloppy. And then to take 10 months to fix, it really not a good sign for an industry that aims to put security at the top of everyone’s agenda.