Tuesday, June 28, 2016

We're Going About It All Wrong

   Phishing, scam, spam and malicious emails are an ongoing problem.  A recent study found that rates of these malicious emails are worst in months that have an "a", "u" or "r" in the name, with highest delivery volumes on days ending in a "y".

   Seriously though, while the worldwide spam volume seems to be trending down since a peak over 70% in 2014, rates were trending up in the first quarter of 2016 and the percentage of email that is spam or malicious is well over 50%.

   Email, along with malicious files on websites (whose links are usually delivered through email!), continue to be the top malware vectors.

   In fact, attackers don't even need to use their best, or most complex, attack methods.  It's far more cost-effective to send out random or targeted email, or to place random malicious files on websites and email out the links.  Remember, most cybercrime is economically motivated.  It's a business and the goal is ROI (return on investment).  And business is good.

   It's a big problem because we are fundamentally trusting beings.  I've always believed that people want to do the right thing.  When it comes to people, we should assume positive intent.

   However, email is not a person.

Tuesday, June 14, 2016

Because Math

   Encryption has been in the news again - whether it's ransomware, law enforcement and iPhones, bitcoin, quantum computing, or potential new laws.  Before we can "decrypt" all these issues, we need to talk a bit about what encryption is and isn't.

   There's an old saying in Security... "if you think encryption is the answer, you might not have understood the question".  I never liked the tone of that statement because it sounds kind of elitist, but it is basically true.  And that's because encryption is very confusing.

   Encrypting data is great because it means it can't read by unauthorized people.  And that is the trick... how to let the right people in and keep the wrong people out.  If my encrypted data is unreadable by anyone then that's called Ransomware!

   Encrypting my data so only I can read it is pretty easy.  It means that only I need the "key".  Of course, I better not loose that key!  Encrypting my data so I can share it with you is also pretty easy.  We just need a "shared secret".  If I need to share my data with a bunch of people then we get into something called "public key cryptography".  Here's a good explanation of that.

   Encryption is basically a solved problem.  Because math.  #math.  There are many great algorithms with cool names like Elliptic Curve, RSA and Two-Fish.