Page 95 - Cyber Warnings
P. 95
Lazarus: Data Leakage With Cryptographic System
You have most probably already received the recommendation or even the imposition of
keeping a "strong password" in your applications. Strong password is a password that has at
least 10 characters involving letters, uppercase and lowercase letters, digits and special
characters that are not words present in our dictionary. Another thing you may have heard of is
cryptography. Cryptography is a method by which text is scrambled so that no one who does
not have a key (password) can read.
Who needs cryptography? Governments, companies and you! Various open source or paid
computer programs promise to help you, your company, and your country maintain privacy and
information security. These programs use modern mathematical algorithms to turn your
intellectual property into a set of characters that will be completely unreadable to a stranger but
can be read by someone who has the correct password. Notice that this protection over, brings
us back to the system of passwords. However, it is not enough to require people to keep dozens
of "strong passwords" for their bank accounts, e-commerce sites, systems in their jobs, and
their personal devices. Some only accept numbers, others have only 6 positions, others require
you to enter a password that is impossible to remember, which ends up making the whole
process less secure.
To circumvent this problem, there are appalling procedures from the point of view of information
security as a recovery key present in Microsoft's BitLocker®. This encryption system allows the
user to create a password of up to 256 characters with all keyboard options, but the system
itself generates an automatic "recovery key" of 48 unique numeric positions. That would be the
equivalent of locking your house with a thick, thick padlock at the front door, but your house
automatically and imperatively put a padlock similar to the ones you normally see in baggage at
the airports.
BitDefender's encryption systems and all open source systems derived from Truecrypt have a
security hole that is closely linked to the usage procedure. To really bring security, it is
imperative that the user install the system himself, and only he / she creates the cryptographic
containers. Unfortunately, that is not what usually happens to CEOs, politicians, researchers
and home users. These people usually rely on an IT professional to perform these activities. In
large companies, it is common for this activity to be delegated to the IT trainee. Moreover, that
is where we have the big security flaw. No matter how many times the CEO changes the
password of the cryptographic container, that trainee will always be able to have fully access the
information recorded in the container even after he eventually goes to work on the competitor.
Perhaps the most famous program is PGP (Pretty Good Privacy) created by Zimmerman and
now owned by security giant Symantec. Symantec has created a corporate encryption system
that allows multiple users to use the same cryptographic container. An interesting idea,
therefore, allows the management of each user to have access to the container or not.
It is the fault in this system that gives name to the article, referring to the Holy Bible and the
story of Lazarus, who according to the scriptures has returned from the world of the dead. With
95 Cyber Warnings E-Magazine – June 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
