Is Open Source an Open Invitation to Hack Webmail Encryption?

In a move influenced by Edward Snowden’s revelations about the NSA’s email snooping, Yahoo and Google last week announced that they were cooperating on end-to-end encrypting their webmail products.

“We will release source code this fall so that the open source community can help us refine the experience and hunt for bugs,” said Yahoo Chief Information Security Officer John Stamos.

While the open source approach to software development has proven its value over and over again, the idea of opening up the code for security features to anyone with eyeballs still creates anxiety in some circles. Such worries are ill-founded, though.

One concern about opening up security code to anyone is that anyone will include the NSA, which has a habit of discovering vulnerabilities and sitting on them so it can exploit them at a later time. Such discoveries shouldn’t be a cause of concern, argued Phil Zimmermann, creator of PGP, the encryption scheme Yahoo and Google will be using for their webmail.

“If someone does find a bug and sits on it, someone else will find the same bug and not sit on it,” he told TechNewsWorld. “That’s why you want to have a lot of people looking at the code.”

Assume Nothing Secret

Although secrecy and crypto systems are commonly believed to go hand in hand, Zimmerman maintains that’s not the case at all. “You have to assume your opponent has the source code,” he said, “but you don’t care who else knows it. The only thing that you have to keep secret is the private key.”

In a system like PGP, there’s a public key — which anyone can hold — and a private key — which only you hold. Messages scrambled with the public key can only be unscrambled with the private key paired to it.

“Open source has been how we create good crypto for a long time,” Zimmerman noted. “PGP source code has been published since I released it in 1991. How do you expect people to trust it unless they can see for themselves that there are no backdoors?”

However, an open source project is only as good as the community that forms around it.

“When you have a lot more people using something day to day, developers are more inclined to work on it,” Cameron Camp, a senior researcher at Eset, told TechNewsWorld.

“When you have lots of interested people looking at the code, that usually makes for better code than a team working in private that don’t know what they don’t know,” he added.

Red Menace

It seems that whenever a company discovers an Advanced Persistent Threat these days, an accusatory finger is pointed at China. The result of all that negative publicity about the People’s Republic has been to give Chinese cyberspies a reputation as superhackers that may be undeserved.

“The Chinese are one of the major actors right now,” Scott Borg, CEO and chief economist of theU.S. Cyber Consequences Unit, told TechNewsWorld. “They’re doing more of this sort of thing than anyone else, but they’re a little less cunning than the Russians in their techniques, so they’re caught more of the time.”

In fact, the Russians have exploited the reputation of the Chinese to veil their own operations.

“The Russians are believed to use attack tools written in Chinese just to throw off analysts, just as the Chinese have used tools written in other languages for the same reasons,” Borg explained.

“Russia’s cyberintelligence people are very, very good,” he added. “They are better than the Chinese, so they’re a lot harder to catch.”

They also have different cyberespionage goals than the Chinese.

“The Russians are carrying out cyberattacks for information to give them a military or political edge,” Borg said. “The Chinese are seeking information to sustain their high economic growth rate. That means they need to do a vast number of business cyberattacks.”

Breach Diary

  • Aug. 11. Amazon Web Services announces multifactor authentication for its Amazon WorkSpaces product. Once this new feature has been enabled and configured, Amazon explains, users can log in to WorkSpaces by entering their Active Directory user name and password followed by an OTP (one-time passcode) supplied by a hardware or a software token.
  • Aug. 12. Schnuck Markets, a St. Louis-based supermarket chain, reaches settlement of lawsuits resulting from data breach in 2013. Shoppers with valid claims will recieve US$200 for out-of-pocket expenses and lost time; $10 for each credit or debit card with fraudulent charges, and as much as $10,000 for extraordinary unreimbursed monetary losses.
  • Aug. 12. Adobe releases Windows patches for seven vulnerabilties in Flash player and one in Adobe Reader.
  • Aug. 13. In interview with Wired, whistleblower Edward Snowden claims NSA accidentally shut down the Internet in Syria for four days in 2012 after botching attempt to plant a spy apparatus on a major ISP in the country.
  • Aug. 14. IBM X-Force researchers report new variant of Gameover Zeus malware spreading in the United Kingdom and Middle East. Two months ago international law enforcement authorities launched a worldwide crackdown on GOZ that resulted in a number of arrests.
  • Aug. 15. Supermarket chain Supervalu confirms it’s investigating data breach that could affect as many as 1,000 present and former outlets. Point-of-sale system attack appears similar to those on Target and other retailers in recent times.

Upcoming Security Events

  • Aug. 23. B-Sides Minneapolis-St. Paul. Nerdery! Free with registration.
  • Aug. 28. When the Sky Is Falling: High-Volume Reflection/Amplification Attacks. 10 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Sept. 6-7. B-Sides Dubai. Move n Pick Jumeirah Hotel, Dubai. Free.
  • Sept. 8-9. The Privacy Security Forum: Protecting Data Assets and Managing Risks. The Westin Hotel Waterfront, Boston. Registration: $750, health care providers and payers; $950, all others.
  • Sept. 9-10. Detroit SecureWorld. Ford Motor Conference & Event Center, 1151 Village Road, Dearborn, Mich. Registration: $695, two days; $545, one day.
  • Sept. 9-10. RSA Global Summit. Marriott Marquis, Washington, D.C. Registration: before Sept. 8, $745; online, $895; government, $545.
  • Sept. 12. Suits and Spooks London. Blue Fin Building, Southwick, London, UK. Registration: Pounds 200.
  • Sept. 13. B-Sides Memphis. Southwest Tennessee Community College, 5983 Macon Cove, Memphis, Tenn. Free.
  • Sept. 13. B-Sides Augusta. Georgia Regents University, Science Hall, 2500 Walton Way, Augusta, Ga. Free.
  • Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
  • Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
  • Sept. 23. Linking Enterprise and Small Business Security to Shore up Cyber Risks in the Supply Chain. 11 a.m. ET. InformationWeek webinar. Free with registration.
  • Sept. 23-24. St. Louis SecureWorld. America’s Center Convention Complex, 701 Convention Plaza, St. Louis. Registration: $695, two days; $545, one day.
  • Sept. 26. B-Sides St. John’s. Uptown Kenmount Road, St. John’s Newfoundland and Labrador. free.
  • Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.
  • Sept. 29-Oct. 2. ASIS 2014. Georgia World Congress Center, Atlanta. Registration: exhibits only, free; before August 30, members $450-$895, non-members $595-$1,150, government $450-$895, spouse $200-$375, student $130-$250; after August 29, member $550-$995, non-member $695-$1,250, government $550-$995, spouse $200-$475, student $180-300; a la carte, $50-$925.
  • Sept. 29-Oct. 3. Interop New York. Jacob Javits Convention Center, New York City. Expo: free. Total Access: early bird (July 1-Aug. 15) $2,899; regular rate (Aug. 16-Sept. 26), $3,099; Sept. 27-Oct. 3, $3,299.
  • Oct. 14-17. Black Hat Europe 2014. Amsterdam RAI, Amsterdam, The Netherlands. Registration: before Aug. 30, 1,095 euros; before Oct. 10, 1,295 euros; before Oct. 18, 1,495 euros.
  • Oct. 19-27. SANS Network Security 2014. Caesar’s Palace, Las Vegas, Nev. Courses: job-based, $3,145-$5,095; skill-based, $1,045-$3,950.
  • Dec. 2-4. Gartner Identity & Access Management Summit. Caesers Palace, Las Vegas, Nev. Registration: before Oct. 4, $2,150; after Oct. 4, $2,450; public employees, $2,050.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels