We Need To Get Better At Cybersecurity!
Imagine if an electrical engineer found a fault in the wiring in your house, but said, “You have a fault, but it’ll take me 10 months to fix it!”, and then walked away, and said, “I’ll be back in 10 months time”.
Now imagine, if the electrical engineer did not understand Ohm’s Law, and where you couldn’t trust them to even wire a plug. Well, in computer security, one of the weakest areas for the profession is in encryption, and where the majority of security professionals would struggle to get past the basics of symmetric key encryption, and then lose it when it comes to the basics of PKI. At the core of the problem, too, is the general lack of understanding of encryption by software developers, and where security is seen as an after-thought.
This problem was highlighted this week by a bug found in some of Fortinet’s products, and where a hard-coded encryption key was used to pass information from a device to a central server. This used an XOR operation and a static key. The discovery of the key is basically done by taking the cipher, and XOR’ing it with the original message:
Key = Cipher XOR (Message)
and that’s it. Once the key is known, every other cipher is then cracked! The packages which had the weaknesses included data on Web filtering, email and antivirus information.
