No Fun and Games with Backfiring Online Encryption
Modern encryption to standards like AES (Advanced Encryption Standard) is unbreakable. Or more exactly, when the encryption is done correctly, any successful attack would, with current levels of technology, take billions of years. So what’s the problem? If your cloud data is properly encrypted, nobody including governments and hackers will be able to break into it. This is true. Unfortunately, it may also be irrelevant. If somebody can get hold of your encryption key, then your data can be read immediately. And acquiring such keys may be easier and faster than you think.
Who Keeps the Encryption Key?
This is the first issue to sort out. Cloud providers may offer strong encryption of your data, but then keep the key. The good news is that you need never be locked out of your own data. The bad news is that other people can get in as well. Cloud providers can come under pressure from government agencies to hand over encryption keys in certain cases. You may think that information about you would be unlikely to interest anyone, but if you store customer information, snoopers may suddenly become interested. A solution is to encrypt your data yourself before you send it to the cloud, and keep the key to yourself as well.
Spying on the Key instead of the Data
Even so, it may be possible for hackers to get your key and therefore your data. The first way is to ask you for it. By masquerading as a cloud provider support technician for example, a hacker might catch you off-guard and persuade you to communicate your key. Alternatively, a hacker could seek to recover your encryption key by tracking your use of cloud resources and the trail you leave in cloud servers as you use their compute power. In tests, ethical attacks have been successfully accomplished in milliseconds to recover keys (compare that with billions of years to crack the actual data.)
Encryption for Extortion
In this variation on the online encryption theme, cybercriminals infiltrate users’ computers with malware that encrypts the users’ data, without the users knowing it is happening. The only way for the users to recover their data is to pay a ransom to the cybercriminals. Cryptolocker was a recent high-profile example of this tactic. From an online botnet of computers they controlled and hid behind, the Cryptolocker perpetrators sent apparently innocent emails and snared users of Windows PCs. One estimate of the total ransom paid to the perpetrators was $3 million. It might have been more except that a group of law enforcement agencies, vendors and universities were able to stop the operation of the ‘Gameover ZeuS’ botnet used for distributing the Cryptolocker malware.
The Future of Effective Encryption
The Snowden revelations suggest that government agency attempts to decrypt online data and communications have so far met with mixed results. Some systems continue to resist attempts to decrypt their data. The Tor network or ‘Onion Router’ as the Tor software is known encrypts user data so that no single computer in its network knows everything about a given user. Open Source software such as that used for the Off-the-Record protocol is both effective in encryption and difficult for someone to tamper with unnoticed, because anyone can see the source code. For the foreseeable future at least, an approach based on open standards and good security procedures may be the best way to keep online data confidential.
