Embed Size (px)
Citation preview
Have the Bad Guys Won the Cybersecurity War…
and Does Quantum Help or Hurt…
Andrew HammondMagiQ Technologies, Inc.
[email protected]/02/23 1
MagiQ Technologies Company History
• Founded in July 1999 to commercialize quantum information technologies
• Headquartered in Somerville, MA
• Always looking for new hires
• Awards• Scientific American “Business Leader” in computing - Scientific American 50• IEEE Spectrum’s “Top Ten Companies to Watch for Next 10 Years”• World Economic Forum (Davos) Technology Pioneer
• Business Strategy• MagiQ is leveraging research funding to develop portfolio of commercial products • MagiQ is building a broad portfolio of intellectual property: 50 patents pending/issued
• Quantum Product Line• Q-Box for test beds• QPN – Quantum Private Network
• Focus was on developing patents portfolio for the long term• MagiQ launched first commercial quantum device in 2003 – shipping QPN 8505 today
• Funded by DARPA and IARPA to develop Quantum Computer Toolbox
• Important customers:
05/02/23 2
Cyber and Cryptography• Cyber technologies are omnipresent
• Cyber threats are growing more numerous and more sophisticated
• Cybersecurity is a growing and fundamental part of safety and security of individuals, organizations, and society
• Cryptography is a foundational pillar of cybersecurity
• Cryptography allow us to trust untrusted communication systems
• Encrypting data greatly reduces risk of cyber threats• Sony• Office of Management and Budget
• Most cryptographic algorithms are based on a computational assumption
Quantum Threat and Defense• Quantum computer threatens those computational assumptions
• Quantum computer is much more probable in the short to mid term because of advances in science and engineering
• Quantum cryptography protects from that threat
• Quantum safe cryptography and quantum cryptography together provides future proof security
• Quantum cryptography will eventually provide quantum Internet • Satellites in LEO can distribute keys anywhere • Ground based repeaters
• How do we evolve from unsafe crypto to safe and secure?• Standards• Best practices• Ongoing technology development and adoption
• Quantum requires us to reinvent our cryptographic infrastructure
• Quantum safe is necessary to be cyber safe
Abstract
05/02/23 3
Agenda
• Cyber Crime Threat Profile• Case Study: CozyDuke
• Persistence of threat• Exfiltration
• Breaches by • Organization• Size• Source• Type• Time• Cost
• Large Organizations do not encrypt
• Quantum Cryptography and Computing• History of Crypto• Black Swan• Quantum Crypto• Post Quantum Crypto• NSA’s Plans
• Summary
05/02/23 4
Bad Guys in the Good ‘Ol Days…
Bad Guys Today…
Threat Profile
• 2013 discovered by Kapersky and F-Secure…Miniduke was switched to CosmicDuke
• Russian based• Funded for long term …history of five years• Probably works for or is approved by Russian government• Targets enemies of Russia
• government• diplomatic• energy• telecom operators• military, including military contractors• individuals involved in the traffic and selling of drugs• hit the White House and State Dept
• Sophisticated and ongoing
Case Study of Hacking Group: CozyDuke (aka CozyBear, CozyCar, or OfficeMonkeys)
CosmicDuke 2014/2015 Advanced Persistent Threats and Advanced Evasion Techniques
• Persistence• Backdoor capable of stealing various types of
information• Spoofs popular applications and designed to run in
the background• Starts via Windows Task Scheduler, via a customized
service binary that spawns a new process set in the special registry key, or is launched when the user is away and the screensaver is activated.
• Reconnaissance• Files based on extensions or file name keywords• Keylogger• Skype password stealer• General network information harvester• Screen grabber (grabs images every 5 minutes)• Clipboard grabber (grabs clipboard contents every 30
seconds)• Microsoft Outlook, Windows Address Book stealer• Google Chrome password stealer• Google Talk password stealer• Opera password stealer• TheBat! password stealer
• Reconnaissance (cont’d)• Firefox, Thunderbird password stealer• Drives/location/locale/installed software harvester• WiFi network/adapter information harvester• LSA secrets harvester• Protected Storage secrets harvester• Certificate/private keys exporter• URL History harvester• InteliForms secrets harvester• IE Autocomplete, Outlook Express secrets
harvester
• Exfiltrate • data via FTP • Direct TCP connection and HTTP session via
Winsock library• HTTP session via Urlmon.dll• HTTP session via invisible instance of Internet
Explorer as OLE object
05/02/23 9
Top Breaches 2015 by Organization
• High number of discrete records impacting many individuals
• Files if encrypted would not be useful to hackers
• Across private and public sectors
Source: http://www.breachlevelindex.m/pdf/Breach-Level-Index-Report-H12015.pdf
05/02/23 10
Biggest Data Breaches
Source: DataBreaches.net, IdTheftCentre, press reports Research: Miriam Quick, Ella Hollowood, Christian Miles, Dan Hampsonhttp://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks
• Data breaches by size:• Ongoing threat• Large impacts
• Economic• Home Depot
• Privacy• Ashley Madison
• National Security• US Office of Personnel
Management
Breaches by Source and Type
Source: Breach Level Index, http://breachlevelindex.com/pdf/Breach-Level-Index-Report-H12015.pdf
• Type of Breach Incidents• Identity theft (information that can be used to masquerade as
someone)• Financial access (bank account credentials, credit card data)• Existential data (information of national security value or
threatens business survival)• Account access(username/passwords to social media, websites,
etc.)• Nuisance (email addresses, affiliation, ect.)
• Identity theft the largest problem by size• Existential data the biggest impact
• Number of Breach Incidents• Malicious outsider• Accidental loss• Malicious insider• Hacktivist• State sponsored
• Malicious outsider largest problem by size• Malicious insider might have biggest impact because of greater
access
Breaches Over Time
•Malicious outsider breaches on the rise•Other breach types pretty constant
• Accidental loss• Malicious insider• Hacktivist• State sponsored
Source: Breach Level Index, http://breachlevelindex.com/pdf/Breach-Level-Index-Report-H12015.pdf05/02/23 13
Breaches by Industry
Source: Breach Level Index, http://breachlevelindex.com/pdf/Breach-Level-Index-Report-H12015.pdf
• Breaches by industry• Healthcare and Government lead number of records breached• Note Technology industry’s large number of records breached vs.
size of industry
• Breaches over time• Breaches in Financial Services and Government are growing faster
than other categories
Types of Attacks
Source: DSCI-Data Security Confidence Index http://www2.safenet-inc.com/dsci/DSCI-Report-EN.pdf
• Attacks have become sophisticated• Attackers have become professional organizations who gain expertise and
resources overtime • Black market for attack software is highly organized and even convenient• Types of attacks are varied, mutating, and evolving• Definitions are based on what respondents perceive • Analysis on respondents’ organizations’ most recent perimeter security breach,
asked to respondents whose organization experienced a breach (499 respondents).
Cost of Cybercrime and as a Percentage of GDP
Source: McAfee and Net Losses: Estimating the Global Cost of Cybercrime Economic impact of cybercrime IICenter for Strategic and International StudiesJune 2014
• Estimated cost of cybercrime is $445 billion per year to the worldwide economy• US government estimated cost at $1 trillion-probably to high• Cybercrime about the same cost as worldwide narcotics and car crashes• Transnational crime and pilferage are larger problems• Theory is problem needs to rise to 2% of GDP for society to take proactive action
Large Organizations do not Encrypt• 86% of respondents said less than 10% of data was
encrypted during last breach• 1,000 security and IT executives in the U.S., UK, Europe,
Middle East and Asia-Pacific.• Industries
• financial• services• Healthcare• Manufacturing• public sector• telecommunications • Utilities• Retail• Construction• Insurance• legal
• “Thinking about your organization’s most recent breach, what percentage of the breached data was protected by encryption?”, asked to respondents whose organization experienced a breach (499 respondents)
Source: DSCI-Data Security Confidence Index http://www2.safenet-inc.com/dsci/DSCI-Report-EN.pdf05/02/23 17
Quantum
Unanticipated Advances in Cryptography
In history, every advance in code-making has been defeated by advances in code-breaking with disastrous consequences to users.
German Enigma Machine10 million billion possible combinations:Looked unbreakable
Allied code-breaking machine “bombe”:Enigma broken
05/02/23 19
• Event• You wake up tomorrow morning and _____has a fully functional quantum
computer• You thought Snowden was bad
• Fact• Quantum computing can efficiently break:
• RSA• Discrete logarithm problem: Diffie-Hellman key exchange• Elliptic-curve cryptographic systems
• “If a quantum computer is ever built, much of conventional cryptography will fall apart!” (Brassard)
• Impact• All national security cryptographic infrastructure is compromised
• No secrets from our adversaries• Destabilizing between nation-states
• All trust zones that allow for commerce are disrupted• Massive fraud• Denial of service attack to the economy• Economic transactions would grind to a halt
Thought Exercise
• The term "cryptopocalypse" was probably first coined at the Black Hat USA information security convention in 2013.
• A talk presented by four security and technology experts at the show explored cryptographic weaknesses and attempted to answer the hypothetical question: "What happens the day after RSA is broken?"
• RSA is a widely used public-key cryptosystem used in digital signatures.
• The answer, they determined then, was: "almost total failure of trust in the Internet," for one thing. The reason? Almost everything we do on the Internet is in some way protected by cryptography.
• The speakers urged a move to stronger systems to thwart attacks against this backend security that we use for emails, banking, and a lot of other things.
Cryptopocalypse or Black Swan
Source: Patrick Nelson, Network World, Aug 21, 2015
Weaknesses in Existing Cryptography• Security based on mathematical difficulty to break
• Intruder is not detectable, leaves no fingerprints
• Vulnerable to improvements in algorithms and hardware, including but not limited to a quantum computer• Solving of mathematical algorithms• New Cryptanalysis attacks• Increases in computational power• Hardware improvements
• Encrypted data captured today may be readable in future
• Networks are easily tapped
• Data is readily stored in large volumes for big data applications and in the cloud
• Many organizations need to secure data communicated today for the long term
• Cryptographic keys are changed infrequently making brute force attacks easier
• Unauthorized access to network and cryptographic parameters and equipment• Hackers • Key couriers• Maintenance personnel• Social engineering• Disgruntled employee• Contractor
• US businesses lose over $500B/year in sales because of economic espionage (US Government)
05/02/23 22
Why Quantum Cryptography• Key distribution with “perfect security”• Invented > 20 years ago
• Components are now available• Feasible with today’s level of technology
• Based on quantum physics of single photon• not mathematical assumptions
• Future-proof technology• Immune to increase of computing power or algorithms• No need for upgrades with QKD
• Symmetric Key Encryption• Provide real-time intrusion detection, identifying the exact location of eavesdropping
devices• One Time Pad Encryption with Quantum Key Distribution provides provably unbreakable
security
Eve
QKD
Alice - Intrusion alert!
QKD
Bob - Intrusion alert!
05/02/23 23
Quantum Key Distribution
• Properties of photons change if they are observed• QKD systems detect intruders using polarized state of photons that travel through optical lines• By analyzing the error rate, MagiQ’s QKD hardware can absolutely detect if the key has been viewed by
an Eve intercepting the optical signal• Node-pairs can reach a distance of over 100km, which in conjunction with cascading, will enable
deployment over a long-distance optical network
• There are current limitations in Quantum Crypto deployments• Distance is limited to 100km• Can daisy chain trusted nodes• Standards
• FIPs is the most important in the US• Some industry work ongoing
• Positives• Key rates have gotten faster• Detectors have gotten more sensitive• Line card form factor• Possible optical chip design
• Low Orbit Satellite• Unlimited distance• Europe and China are putting up satellites
• Quantum Repeater• Some years away
• China leading the charge• Beijing to Shanghai network• Satellite going up
• US is probably behind
Quantum Cryptography State of the Art
General Characteristics of Fiber-Based Commercial QKD Systems
• Telecom fiber for quantum channel• Photon phase encoding• Pulse repetition rate ~ 1 MHz• Distance ~ 100 km• Integrated Ethernet encryption/VPN Subsystem
• Typical Architecture QKD
VPN
Key MgmtSysMgmt
05/02/23 26
• Development of Quantum Computer resistant crypto• Lattice based public key cryptography-short or close vectors in lattices.‐ ‐• Multivariate public key cryptography-nonlinear multivariate equations over finite fields.‐• Code based public key cryptography-decoding linear codes, for example, Goppa codes.‐ ‐ ‐
• Hash based signatures-finding collisions of cryptographic hash functions.‐• Quantum Cryptography
• Random Number Generation• Quantum Key Distribution• Possibly Hybrid Approach of QKD and Post-Q Algorithm
Post Quantum Cryptography
NSA Plans for Post Quantum Cryptography
• Snowden discloses NSA working on a quantum computer…”Penetrating Hard Targets” project• “a cryptologically useful quantum computer”
• “Owning the Net,” is using quantum research to support the creation of quantum-based attacks on encryptions like RSA
https://www.washingtonpost.com/apps/g/page/world/a-description-of-the-penetrating-hard-targets-project/691/
“It is important to note that we aren't asking vendors to stop implementing the Suite B algorithms and we aren't asking our national security customers to stop using these algorithms. Rather, we want to give more flexibility to vendors and our customers in the present as we prepare for a quantum safe future.”
https://www.nsa.gov/ia/programs/suiteb_cryptography/
05/02/23 28
• The bad guys have not won…but they are ahead of the curve• Encryption protects against most threats• Quantum Crypto can assist as a part of a layered approach to defense• Quantum Crypto can protect against Quantum Computing
• Cyber technologies are omnipresent
• Cyber threats are growing more numerous and more sophisticated
• Cybersecurity is a growing and fundamental part of safety and security of individuals, organizations, and society
• Cryptography is a foundational pillar of cybersecurity
• Cryptography allow us to trust untrusted communication systems
• Encrypting data greatly reduces risk of cyber threats• Sony• Office of Management and Budget
• Most cryptographic algorithms are based on a computational assumption
Quantum Threat and Defense• Quantum computer threatens those computational assumptions
• Quantum computer is much more probable in the short to mid term because of advances in science and engineering
• Quantum cryptography protects from that threat
• Quantum safe cryptography and quantum cryptography together provides future proof security
• Quantum cryptography will eventually provide quantum Internet • Satellites in LEO can distribute keys anywhere • Ground based repeaters
• How do we evolve from unsafe crypto to safe and secure?• Standards• Best practices• Ongoing technology development and adoption
• Quantum requires us to reinvent our cryptographic infrastructure
• Quantum safe is necessary to be cyber safe
Conclusion: Have the Bad Guys Won the Cybersecurity War…and Does Quantum Help or Hurt…
Cyber and Cryptography
05/02/23 29
Back Up Slides
05/02/23 30
Tools for Security Breach
• Optical Taps• May be easily created using common maintenance equipment that can
be purchased legally and cheaply worldwide• Allow unfettered access to all voice and data communications
transiting an optical fiber • Are not detectable in today’s optical networks
• Packet-Sniffers filter out specific packets based on header and store and analyze the data
Opportunities for Security Breach
• Carrier Equipment Locations• Central Office• Co-located leased space• Carrier Hotels (“60 Hudson Street”)• Commercial Office Buildings• Office Building Wiring Closets • Outside Plant Equipment Huts• Personnel access
• Network Access Concerns• Undetectable Fiber Taps• Fiber Cross Connects Patch Panel• Network Probes • Out of Band Management
Network• Monitoring Access Ports• Local DTE Access Ports
PPoorrtt AA PPoorrtt BB AAnnaallyyzzeerr OOuutt IInn OOuutt In Out A Out B
Recent News: Ecosystem is Developing
05/02/23 33
Quantum Computing Startups
• "Encryption and anonymity, separately or together, create a zone of privacy to protect opinion and belief"
• The tools to bestow such protection are essential, it says, given the "unprecedented capacity" governments, companies, thieves and pranksters now have to interfere with people's ability to express themselves.
• Lacking such tools, it adds, many people will be unable to fully explore "basic aspects of their identity" such as their gender, religion, ethnicity, origins or sexuality.
• The software acts as a "shield" for opinions against external scrutiny - a fact that is "particularly important in hostile political, social, religious and legal environments", says the report.
• "States should not restrict encryption and anonymity, which facilitate and often enable the rights to freedom of opinion and expression.“
BBC News/May 2015 http://www.bbc.com/news/technology-32916002
Report of the Special Rapp, Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye May 22, 2015 http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session29/Documents/A.HRC.29.32_AEV.doc
Encryption Important to Free Speech Says UN Report
