By Rodrigo Ruiz & Rogério Winter
You have most probably already received the recommendation or even the imposition of keeping a “strong password” in your applications. A strong password is a password that has at least 10 characters involving letters, uppercase, and lowercase letters, digits and special characters that are not words present in our dictionary. Another thing you may have heard of is cryptography. Cryptography is a method by which text is scrambled so that no one who does not have a key (password) can read.
Who needs cryptography? Governments, companies and you! Various open-source or paid computer programs promise to help you, your company, and your country maintains privacy and information security. These programs use modern mathematical algorithms to turn your intellectual property into a set of characters that will be completely unreadable to a stranger but can be read by someone who has the correct password. Notice that this protection over brings us back to the system of passwords. However, it is not enough to require people to keep dozens of “strong passwords” for their bank accounts, e-commerce sites, systems in their jobs, and their personal devices. Some only accept numbers, others have only 6 positions, others require you to enter a password that is impossible to remember, which ends up making the whole process less secure.
To circumvent this problem, there are appalling procedures from the point of view of information security as a recovery key present in Microsoft’s BitLocker®. This encryption system allows the user to create a password of up to 256 characters with all keyboard options, but the system itself generates an automatic “recovery key” of 48 unique numeric positions. That would be the equivalent of locking your house with a thick, thick padlock at the front door, but your house automatically and imperatively put a padlock similar to the ones you normally see in baggage at the airports.
BitDefender’s encryption systems and all open source systems derived from Truecrypt have a security hole that is closely linked to the usage procedure. To really bring security, it is imperative that the user install the system himself, and only he/she creates the cryptographic containers. Unfortunately, that is not what usually happens to CEOs, politicians, researchers and home users. These people usually rely on an IT professional to perform these activities. In large companies, it is common for this activity to be delegated to the IT trainee. Moreover, that is where we have a big security flaw. No matter how many times the CEO changes the password of the cryptographic container, that trainee will always be able to have full access the information recorded in the container even after he eventually goes to work on the competitor. Perhaps the most famous program is PGP (Pretty Good Privacy) created by Zimmerman and now owned by security giant Symantec. Symantec has created a corporate encryption system that allows multiple users to use the same cryptographic container. An interesting idea, therefore, allows the management of each user to have access to the container or not.
It is the fault in this system that gives a name to the article, referring to the Holy Bible and the story of Lazarus, who according to the scriptures has returned from the world of the dead. With a relatively simple technique, it is possible for an attacker to bring a deleted user to life by having the attacker access data encrypted by the credentials retrieved from that user.
You, your politicians, your companies and your governments have their secrets when they blindly trust the advertisements. Understanding the general aspects of what is a cryptographic system and working correctly handling credentials can save your business. As important as how big the padlock protects your secret, it is in the hands of whom your key has walked until it reaches you and where and how you keep it. Based on the original researches Corrosive secrecy and confidence: the paradox among bypassing cryptographic software, the loss of privacy and information security published in Cyber Security Review Magazine and the original article Lazarus: Data Leakage with PGP and Resurrection of the Revoked User published in Journal of Cyber Security and Mobility. You can read the full research in author research gate profile.
About the Authors
Rodrigo Ruiz is researcher of CTI – Information Technology Center – Renato Archer, Campinas, Brazil, also he is a member of the SDIWC (The Society of Digital Information and Wireless Communications) have some papers about privacy and he is co-author of Apoc@lypse: The End of Antivirus and he is author of papers about privacy and security. https://www.researchgate.net/profile/Rodrigo_Ruiz3
Rogério Winter is colonel at the Brazilian Army and head of Institutional relations of CTI Renato Archer with more than 25 years of experience in military operations and cybersecurity. He is master degree in Electronic Engineering and Computation by Aeronautics Technological Institute-ITA, also he is a member of the SDIWC (The Society of Digital Information and Wireless Communications) and at present, one dedicates to the warfare issues, cybernetics, command and control, and decision-making process and he is co-author of Apoc@lypse: The End of Antivirus.