In what seems to be a year of relentless breaches, a new report from cybersecurity firm Cylance has revealed that Iranian hackers have infiltrated some of the world’s top energy, transport and infrastructure firms over the past two years in an effort that could eventually cause physical damage.
What information was breached? The hackers have stolen “highly sensitive materials” from at least 50 firms worldwide, including 10 U.S. companies. Besides the U.S., the intruders have hit other companies and agencies throughout Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey and the United Arab Emirates.
How did it happen? Dubbed Operation Cleaver, the 87-page report claims that the effort has “successfully leveraged both publicly available and customized tools to attack and compromise targets around the globe.”
What are they saying? “As Iran’s cyber warfare capabilities continue to morph, the probability of an attack that could impact the physical world at a national or global level is rapidly increasing.”
In the wake of the recent Sony Pictures hack, the FBI has issued a confidential report urging businesses to remain vigilant against new malicious software that can be used to launch “destructive” cyberattacks.
According to Reuters, the five-page confidential warning doesn’t specifically list the Sony incident. It does, however, name an attack that cybersecurity experts tell the news agency is a large-scale hack that took down the Hollywood company. While similar attacks have occurred in South Korea and throughout the Middle East, the latest is believed to “mark [the] first major destructive cyber attack waged against a company on U.S. soil.”
The “flash” FBI warning issued to businesses shared some insight and technical details around how malware works, as well as how to respond to it, encouraging businesses to reach out to the FBI if they identified similar software.
“The FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals,’ explained FBI spokesman Joshua Campbell.
Re/code has reported that Sony are probing the incident to see whether those responsible for carrying out the hack are working behalf of North Korea, and perhaps operating in China.
It is evident now more than ever, hardware-based solutions are necessary to protect every system and embedded design. As you can see from recent headlines, like BadUSB, hardware protection beats software protection every time. That’s because software is always subject to bugs, tampering and malware, just as the latest report warns. The protection provided by CryptoAuthentication is built directly into a device, and it is secured in tested hardware. Start safeguarding today!
In today’s world, the three pillars of security are confidentiality, integrity (of the data), and authentication (i.e. “C.I.A.”). Fortunately, Atmel CryptoAuthentication crypto engines with secure key storage can be used in systems to provide all three of these.
Focusing on the confidentiality pillar, in a symmetric system it is advantageous to have the encryption and decryption key shared on each side go through a change for every encryption/decryption session. This process, which is called symmetric session key exchange, helps to provide a higher level of security. Makes sense, right?
So, let’s look at how to use the capabilities of the ATSHA204A CryptoAuthentication device to create exactly such a changing cryptographic key. The way a key can be changed with each session is by the use of a new (and unique) random number for each session that gets hashed with a stored secret key (number 1 in the diagram below). While the stored key in the ATSHA204A devices never changes, the key used in each session (the session key) does. Meaning, no two sessions are alike by definition.
The video below will walk you through the steps, or you can simply look at the diagram which breaks down the process.
The session key created by the hashing of the stored key and random number gets sent to the MCU (number 2) and used as the AES encryption key by the MCU to encrypt the data (number 3) using the AES algorithm. The encrypted data and the random number are then sent (number 4) to the other side.
Let’s explore a few more details before going on. The session key is a 32 byte Message Authentication Code or “MAC.” (A MAC is defined as a hash of a key and message.) 16 bytes of that 32 byte (256 bit) MAC becomes the AES session key that gets sent to the MCU to run the AES encryption algorithm over the data that is to be encrypted.
It is obvious why the encrypted code is sent, but why is the random number as well? That is the magic of this process. The random number is used to recreate the session key by running the random number through the same SHA-256 hashing algorithm together with the key stored on the decryption side’s ATSHA204A (number 5). Because this is a symmetric operation, the secret keys stored on both of the ATSHA204A devices are identical, so when the same random number is hashed with the same secret key using the same algorithm, the 32 byte digest that results will be exactly the same on the decrypting side and on the encrypting side. Just like on the encrypting side, only 16 bytes of that hash value (i.e. the MAC) are needed to represent the AES encryption/decryption key (number 6). At this point these 16 bytes can be used on the receiving side’s MCU to decrypt the message(number 7).
And, that’s it!
Note how easy the ATSHA204A makes this process because it stores the key, generates the random number, and creates the digest. There’s a reason why we call it a crypto engine! It does the heavy cryptographic work, yet is simple to configure the SHA204A using Atmel’s wide range of tools.
Not to mention, the devices are tiny, low-power, cost-effective, work with any micro, and most of all, store the keys in ultra-secure hardware for robust security. By offering easy-to-use, highly-secure hardware key storage crypto engines, it’s simple to see how Atmel has you covered.
According to reports, the computer system belonging to Sony Pictures has been hacked after a thread surfaced on Reddit claiming all computers at the company were offline due to a breach. The Reddit thread says that an image appeared on all employee’s computers reading “Hacked by #GOP” and demanding their “requests be met” along with links to leaked data.
What information was breached? The Next Web reveals that the ZIP files mentioned in the images contain a list of file names of a number of documents, including financial records along with private keys for access to servers. The “Hacked by #GOP” message warned that the data supposedly obtained from Sony’s systems would be divulged on Monday, November 24 at 11 pm GMT.
What are they saying? Variety reports that Sony employees have been warned not to connect to the company’s corporate networks or access their emails. The incident is still being investigated…
The UK Information Commissioner’s Office is warning the general public about a website containing thousands of live feeds from stand-alone webcams and CCTV systems to baby monitors.
What information was breached? A Russian website is sneaking a peek into the homes, gyms and offices of innocent people throughout the globe. Not only does the website show these unfiltered images, CBS News reveals that they also provide the exact coordinates of the location, complete with zip codes and links to a map. The hackers note that their site has been created in an effort to highlight the significance of security, urging those with remote-access cameras change their manufacturer’s default passwords.
How many are affected? At the moment, there are more than 4,000 cameras listed in the United States, 600 from the UK and over 10,000 others from 152 countries worldwide. Furthermore, exposed footage ranges from unmade children’s beds and kids watching television in the comfort of their own homes to living rooms and workplace lounges. Heck, snapshots from places like car insurance sales offices and candy stores to tattoo parlors and backyards have been released to the public. With an estimated 350,000 remote-access cameras sold in the UK last year alone, the ICO warned that those without password protection or with weak passwords could be vulnerable to hackers. This doesn’t include those from the 150-plus other countries as well.
What are they saying? “This is a threat that all of us need to be aware of and be taking action to protect against. Remember, if you can access your video footage over the Internet, then what is stopping someone else from doing the same? You may think that having to type in an obscure web address to access the footage provides some level of protection. However, this will not protect you from the remote software that hackers often use to scan the internet for vulnerable devices,” explained Simon Rice, ICO’s Technology Group Manager for the .
This incident represents a perfect model as to why the Internet of Things requires strong security, including encryption and authentication. In fact, we could not have created a demo any better than this to exemplify that point. “The cameras are IoT nodes by default. The website is a hacker. The data is intercepted and misused. Perhaps this notion of hackers posting your data to the net could be called the inadvertent IoT. We are all vulnerable which should drive the realization that built in security is paramount,” explained Atmel’s resident security expert Bill Boldt. “Anyways, this really brings it all home… literally.”
Hackers from China were recently able to breach the government computer network at the agency that oversees the National Weather Service, officials revealed.
What information was breached? According to The Washington Post, NOAA officials also would not say whether the attack removed material or inserted malicious software in its system, which is used by civilian and military forecasters in the United States and also feeds weather models at the main centers for Europe and Canada. NOAA operates a network of weather satellites and websites that distribute crucial information to public and private organizations, including forecasts for airlines and other transportation companies.
When did it happen? The intrusion occurred in late September but officials gave no indication of the problem until October 20, three people familiar with the hack explained.
What are they saying? NOAA spokesman Scott Smullen confirmed in a statement that four websites were “compromised by an Internet-sourced attack,” forcing the agency to perform unscheduled maintenance in recent weeks.
Authentication may just be the “sine qua non” of the Internet of Things.
Let’s just come out and say it: Not using the most robust security to protect your digital ID, passwords, secret keys and other important items is a really, really bad idea. That is particularly true with the coming explosion of the Internet of Things (IoT).
The identity (i.e. “ID”) of an IoT node must be authenticated and trusted if the IoT is ever to become widely adopted. Simply stated, the IoT without authenticated ID is just not smart. This is what we mean when we say don’t be an ID-IoT.
It seems that every day new and increasingly dangerous viruses are infecting digital systems. Viruses — such as Heartbleed, Shellshock, Poodle, and Bad USB — have put innocent people at risk in 2014 and beyond. A perfect case in point is that Russian Cyber gangs (a.k.a. “CyberVor”) have exposed over a billion user passwords and IDs — so far. What’s scary is that the attacks are targeted at the very security mechanisms that are meant to provide protection.
If you think about it, that is somewhat analogous to how the HIV/AIDS virus attacks the very immune system that is supposed to protect the host organism. Because the digital protection mechanisms themselves have become targets, they must be hardened. This has become increasingly important now that the digital universe is going through its own Big Bang with the explosion of the IoT. This trend of constant connectivity will result in billions of little sensing and communicating processors being distributed over the earth, like dust. According to Gartner, processing, communicating and sensing semiconductors (which comprise the IoT) will grow at a rate of over 36% in 2015, dwarfing the overall semiconductor market growth of 5.7%. Big Bang. Big growth. Big opportunity.
The IoT will multiply the number of points for infection that hackers can attack by many orders of magnitude. It is not hard to see that trust in the data communicated via an ubiquitous (and nosey) IoT will be necessary for it to be widely adopted. Without trust, the IoT will fail to launch. It’s as simple as that. In fact, the recognized inventor of the Internet, Vint Cerf, completely agrees saying that the Internet of Things requires strong authentication. In other words, no security? No IoT for you!
There is much more to the story behind why the IoT needs strong security. Because the world has become hyper-connected, financial and other sensitive transactions have become almost exclusively electronic. For example, physical checks don’t need to be collected and cancelled any more — just a scanned electronic picture does the job. Indeed, the September 11th terror attacks on the U.S. that froze air travel and the delivery of paper checks accelerated the move to using images to clear checks to keep the economy moving.
Money now is simply electronic data, so everyone and every company are at risk of financial losses stemming directly from data breaches. See? Data banks are where the money is now kept, so data is what criminals attack. While breaches are, in fact, being publicized, there has not been much open talk about their leading to significant corporate financial liability. That liability, however, is real and growing. CEOs should not be the least bit surprised when they start to be challenged by significant shareholder and class action lawsuits stemming from security breaches.
Although inadvertent, companies are exposing identities and sensitive financial information of millions of customers, and unfortunately, may not be taking all the necessary measures to ensure the security and safety of their products, data, and systems. Both exposure of personal data and risk of product cloning can translate to financial damages. Damages translate to legal action.
The logic of tort and securities lawyers is that if proven methods to secure against hacking and cloning already exist, then it is the fiduciary duty of the leaders of corporations (i.e. the C-suite occupants) to embrace such protection mechanisms (like hardware-based key storage), and more importantly, not doing so could possibly be argued as being negligent. Agree or not, that line of argumentation is viable, logical, and likely.
A few CEOs have already started to equip their systems and products with strong hardware-based security devices… but they are doing it quietly and not telling their competitors. This also gives them a competitive edge, besides protecting against litigation.
Software, Hardware, and Hackers
Why is it that hackers are able to penetrate systems and steal passwords, digital IDs, intellectual property, financial data, and other secrets? It’s because until now, only software has been used to protect software from hackers. Hackers love software. It is where they live.
The problem is that rogue software can see into system memory, so it is not a great place to store important things such as passwords, digital IDs, security keys, and other valuable things. The bottom line is that all software is vulnerable because software has bugs despite the best efforts of developers to eliminate them. So, what about storing important things in hardware?
Hardware is better, but standard integrated circuits can be physically probed to read what is on the circuit. Also, power analysis can quickly extract secrets from hardware. Fortunately, there is something that can be done.
Several generations of hardware key storage devices have already been deployed to protect keys with physical barriers and cryptographic countermeasures that ward off even the most aggressive attacks. Once keys are securely locked away in protected hardware, attackers cannot see them and they cannot attack what they cannot see. Secure hardware key storage devices — most notably Atmel CryptoAuthentication — employ both cryptographic algorithms and a tamper-hardened hardware boundary to keep attackers from getting at the cryptographic keys and other sensitive data.
The basic idea behind such protection is that cryptographic security depends on how securely the cryptographic keys are stored. But, of course it is of no use if the keys are simply locked away. There needs to be a mechanism to use the keys without exposing them — that is the other part of the CryptoAuthentication equation, namely crypto engines that run cryptographic processes and algorithms. A simple way to access the secret key without exposing it is by using challenges (usually random numbers), secret keys, and cryptographic algorithms to create unique and irreversible signatures that provide security without anyone being able to see the protected secret key.
Crypto engines make running complex mathematical functions easy while at the same time keeping secret keys secret inside robust, protected hardware. The hardware key storage + crypto engine combination is the formula to keeping secrets, while being easy-to-use, available, ultra-secure, tiny, and inexpensive.
According to The Washington Post, Chinese hackers are suspected of breaching the computer networks of the U.S. Postal Service, compromising the data of more than 800,000 employees.
What information was breached? The breach is believed to have affected not only letter carriers and employees working in the inspector general’s office including the postmaster general himself. The stolen customer information includes names, email addresses and phone numbers. In addition, the exposed employee data may include personally identifiable information, such as names, dates of birth, social security numbers, addresses, beginning and end dates of employment, emergency contact information and other information. No customer credit card information from post offices or online purchases at USPS.com were breached.
How did it happen? Sources said that the attack was carried out by “a sophisticated actor” who apparently was not interested in identity theft or credit card fraud.
When did it happen? Unnamed officials note that the attack was discovered back in mid-September. In its statement, the USPS said that other than employee details, information about customers who called or emailed the agency’s Customer Care Center between January 1st and August 16th of this year were accessed.
What are they saying? “It is an unfortunate fact of life these days that every organization connected to the Internet is a constant target for cyber intrusion activity. The United States Postal Service is no different. Fortunately, we have seen no evidence of malicious use of the compromised data and we are taking steps to help our employees protect against any potential misuse of their data,” explained Postmaster General Patrick Donahoe.
Not only were 56 million credit card numbers stolen from Home Depot earlier this year, investigators have now revealed that more than 53 million email addresses were exposed as well.
What information was breached? In addition to the previously disclosed payment card data, Home Depot has issued in a statement that separate files containing approximately 53 million email addresses were also taken during the breach. These files did not contain passwords, payment card information or other sensitive personal information.
How did it happen? According to the home improvement retailer, the hackers initially accessed its network back in April using a third-party vendor’s username and password. The hackers were able to acquire “elevated rights” that allowed them to navigate parts of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems throughout both the United States and Canada.
When did it happen? The malicious software was active on Home Depot’s network between April and September of this year. In the wake of recent incidents, the retailer has added more encryption to its credit card payment systems.
Data security is becoming a virtual battleground — evident by the number of major data breaches that have broken out at retailers such as Target, Staples, Dairy Queen, Home Depot and EBay, at major banks such as JP Morgan, and at many other institutions worldwide. The recent spate of security viruses such as Heartbleed, Shellshock, Poodle, and BadUSB (and who knows what’s next) have been creating serious angst and concern. And, rightfully so. The question is what exactly should you bring to the cyber battleground to protect your assets? This question matters because everyone who is using software to store cryptographic keys is vulnerable to losing sensitive personal data, and today that is just about everybody. So, choose your weapons carefully.
Fortunately, there are weapons now available that are very powerful while still being cost-effective. The strongest data protection available comes from hardware key storage, which beats software key storage every time. Keys are what make cryptography possible, and keeping secret keys secret is the secret to cryptography. Atmel’s portfolio contains a range of innovative and robust hardware-based security products, with the heavy artillery being the Trusted Platform Module (TPM).
TPM
The TPM is a cryptographic device with heavy cryptographic firepower, such as Platform Configuration Registers, protected user configurable non-volatile storage, an enforced key hierarchy, and the ability to both seal and bind data to a TPM. It doesn’t stop there. Atmel’s TPM has a variety of Federal Information Processing Standards (FIPS) 140-2 certified cryptographic algorithms (such as RSA, SHA1, AES, RNG, and HMAC) and various sophisticated physical security counter-measures. The TPM can be used right out-of-the-box with standards-based commands defined by the Trusted Computing Group, along with a set of Atmel-specific commands, which are tested and ready to counter real world attacks.
The Arsenal
Platform Configuration Registers and Secure Boot
One of the important weapons contained in the TPM is a bank of Platform Configuration Registers (PCRs), which use cryptographic hashing functions. These registers can be used to ensure that only trusted code gets loaded at boot time of the system. This is done by using the existing data in a PCR as one input to a hashing function with the other input being new data. The result of that hashing function becomes the new PCR value that will be used as the input to the next hashing function with the next round of new data. This process provides security by continuously changing the value of the PCR.
As the PCR value gets updated, the updated values can then be compared with known hash values stored in the system. If the reference values previously stored in the TPM compare correctly with the newly generated PCR values, then the inputs to the hashing function (new data in the diagram) are proven to have been exactly the same as the reference inputs whose hash is stored on the TPM. Such matching of the hash values verifies the inputs as being authentic.
The PCR flow just described is very useful when enforcing secure boot of the system. Unless the hashes match showing that the code is, indeed, what it is supposed to be, the code will not be loaded. Even if a byte is added, deleted, changed, or if a bit is modified, the system will not boot. For secure boot, the data input to the hashing function is a piece of the BIOS (or operating system).
User Configurable Non-Volatile Storage
Another weapon is user-configurable, non-volatile storage with multiple configuration options. What this means is that the user is presented with several ways to restrict the access and use of the memory space, such as by password, physical presence of the user, and PCR states. Additionally, the memory space can be set up so that it can be written only once, not read until the next write or startup of the TPM, not written to until the next startup of the TPM, and others.
Enforced Key Hierarchy
The TPM also incorporates an enforced key hierarchy, meaning that the keys must have another key acting as a parent key (i.e. a key higher in a hierarchy) for that key to get loaded into the TPM. The authorization information for the parent key needs to be known before the child key can be used, thereby adding another layer of security.
Binding and Sealing Data
Another part of the TPM’s arsenal is the ability to bind and/or seal data to the TPM. A seal operation keeps the data contained (i.e. “sealed”) so that it can only be accessed if a particular pre-defined configuration of the system has been reached. This pre-defined configuration is held within the PCRs on the TPM. The TPM will not unseal the data until the platform configuration matches the configuration stored within the PCRs.
A bind operation creates encrypted data blobs (i.e. binary large objects) that are bound to a private key that is held within the TPM. The data within the blob can only be decrypted with the private key in the TPM. Thus, the data is said to be “bound” to that key — such keys can be reused for different sets of data.
The Armor
So the Atmel TPM has some pretty cool weapons in its arsenal, but does it have any armor? The answer is yes it does!
FIPS 140-2 Certified
Atmel has dozens of FIPS 140-2 full module-level certified devices with various I/O’s including LPC, SPI, and I2C. The TPM uses a number of FIPS certified algorithms to perform its operations. These standards were developed, tested, and certified by the United States federal government for use in computer systems. The TPM’s FIPS certified algorithms include RSA, SHA1, HMAC, AES, RNG and CVL (find out more details on Atmel’s TPM FIPS certifications here).
Active Metal Shield
The TPM has built-in physical armor of its own. A serpentine active metal shield with tamper detection covers the entire device. If someone attempts to penetrate this shield to see the structures beneath it, the TPM can detect this and go into a fault condition that prevents further actions on the TPM.
Why TPM?
You might be asking, “Why can’t all those functions just be done in software?” While some of the protections can be provided in software, software alone is not nearly as robust as a hardware-based system. That is because software has bugs, despite how hard the developers try to eliminate them, and hackers can exploit those bugs to gain access to supposedly secure systems. TPM, on the other hand,stores secret keys in protected hardware that hackers cannot get access to, and they cannot attack what they cannot see.
The TPM embeds intelligence via an on-board microcontroller to manage and process cryptographic functions. The commands used by the Atmel TPM have been defined and vetted by the Trusted Computing Group (TCG), which is a global consortium of companies established to define robust standards for hardware security. Furthermore, the Atmel TPM has been successfully tested against TCG’s Compliance Test Suite to ensure conformance. Security is also enhanced because secrets never leave the TPM unless they have been encrypted.
With the battle for your data being an on-going reality, it simply makes sense to fight back with the heaviest artillery available. Combining all the weaponry and armor in one small, strong, cost effective, standards-based and certified package makes the Atmel TPM cryptographic the ideal choice for your arsenal.
This blog was contributed by Tom Moulton, Atmel Firmware Validation Engineer.
