Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Encryption

1/22/2018
08:05 AM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Thycotic's Joseph Carson: Government & Encryption Issues Will Be Huge

In the second part of his Q&A with Security Now, Thycotic Chief Security Scientist Joseph Carson talks about encryption and the role that governments play in security.

Security Now contributor Simon Marshall recently sat down with Joseph Carson, chief security scientist at Washington, DC-based Thycotic, a privileged account security firm. This is a second part of a two-part Q&A session Carson did with Security Now.

Carson holds several security certifications and he is a cybersecurity advisor to several governments around the world. In the first part of the interview, Carson spoke about personal privacy -- an area of particular interest to him. (See Thycotic's Joseph Carson: Hackers Will Soon Read Your Mind.)

In this second part, Carson offers his thoughts about encryption at a national level, government security concerns and the growing threat of ransomware.

Simon Marshall for Security Now: So, encryption and government bodies are two things that you believe are at loggerheads. Why is that?

Joseph Carson: This issue is going to be huge. The problem we have is that governments have one hammer, and they treat all cybercrime with that same hammer, even though it involves different cyber attack models, different people, across different borders and in different locations. They're trying to use the same hammer to solve a multitude of very different problems.

SN: There have been declarations from a few governments seemingly centered on whether they think encryption is a help or a hindrance, right? Banning is seen as exercising the hammer?

JC: Most cybercrime is committed across borders. We're in a much safer world today than we were 20 years ago. But if you get rid of the good things that encryption provides versus the few unfortunate events that slip through, you're making a mistake. For example, when I hear the Australian prime minister come out and say "we have to ban encryption," I'm deeply concerned.

Russia banned the use of encryption -- that is, using a VPN to access prohibited websites. But they knew they couldn't prohibit encryption itself, so they banned the act of encrypting. Which I think is an interesting approach, because it shows where we can all be much more flexible.

In my world of digital forensics, I look at two things. I look at the attack motive and I follow the money. What we should be criminalizing is the motive -- the criminal activity rather than the solution that's being used to protect against it; someone may drive while they're shooting off weapons, but let's not ban driving itself.

SN: So, what's your solution?

JC: There are certain things we can do, and I think the motives and actions should be punished, not the tool that in itself acts as a solution. And this is where the industry will come head-to-head with governments, because governments need to understand they should be focused on discovering the illegal activities, rather than coming down on encryption controls.

SN: Do governments understand enough about encryption to even know if their actions are going to benefit cybersecurity?

JC: Well, there's a need to have better government intelligence and better ways of gathering it. However, there's a lack of understanding about encryption at that level. Encryption is not the problem, it's a solution. Ultimately what happens is that if someone bans encryption in their own country, they're harming themselves.

The opposite position is a challenge too. What if all intellectual property, healthcare records, and personal financial information are open to the world? Where are the boundaries for that? It's a ridiculous idea to believe that a society can be completely open. Would governments choose to keep their own information encrypted, but not the data of its citizens? Governments really don't understand encryption or even the use cases. They don't understand the challenges that encryption solves.

SN: Is there a tipping point that exemplifies this sort of situation?

JC: The tipping point was when the FBI went to Apple and tried to get backdoor access to iPhones, and that failed through the court system. When you have a government going directly to a private company, or another state, or even another country outside of the US, and they're privately paying to unlock a phone, we see one country paying another to gain access to a device But that implies that the solution could be sold to everyone else too. If we go further, into political or presidential election outcomes, it implies we may have hacking groups who can work both hands.

SN: I really worry about the trading of stolen consumer or governmental data for financial gain. A good example is ransomware. There were reportedly very poor returns in ransom fees for WannaCry. What do you think about that?

JC: Well, look at who had the motive to do this, and where the money went. The thing with ransomware is that it has multiple impacts. One is that data can be destroyed, another is that there's a financial reward for the criminals. But in other cases I've been tracking, depending on the cryptocurrency the demand is in, ransomware can cause currency manipulation by misdirection. I actually believe that WannaCry was one of the biggest currency manipulations in history.

SN: How so?

JC: Hackers today are very smart. They want to make money legally versus illegally. WannaCry was not one single actor, but multiple actors. One set of people created a distraction. One set created the payload and delivered it. The group who executed it were not interested in the financial ransom result, they were interested in misdirection from the fact they were manipulating the valuation of the coin.

SN: How did you come to that conclusion?

JC: If you look at actual transactions in Bitcoin at the time, there was a significant transaction to buy Bitcoins. Then, about two weeks after the WannaCry hit, someone exited Bitcoin with a half a million-dollar transaction, at a steep profit. The person executing the manipulation part was smart compared to the person who did the payload delivery, who didn't get the anticipated financial ransom return.

SN: Misdirection is troubling -- does the concept apply elsewhere?

JC: Well, let's just say that if you hack a company, and you want to get away without being caught, you can misdirect from certain actions, and that allows you the window to destroy or corrupt the log and history of your digital footprints. If the target company is overly focused on getting up and running again, they might not notice that they have been subject to insider trading.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...