VeraCrypt | Part 2/2

In the last part of our article series, we discussed why user passwords are not sufficient to protect your data on a stolen device. In our third article, we will take a deeper look at the various encryption solutions offered by different manufacturers.

Let us have a closer look how operating system manufacturers deal with the options of data encryption. The handling of data encryption differs greatly.

Note. Apple and Google automatically encrypt the stored data in their current operating systems Android and iOS. However, the encryption is not only activated automatically, but is also completely transparent for the end-user.

This looks different when we look at standard computer operating systems. Due to the high market share of laptops with Windows and MacOS operating Systems, we will concentrate on those.

Apple offers the possibility to encrypt the stored data with the pre-installed program FileVault on all current MacOS devices. This application is available at no additional cost and can be activated with a few clicks. As with the Android and iOS encryption, the usage is completely transparent for the end user and not noticeable during daily use.

However, a different situation can be found with Windows. If we take a look at Microsoft’s operating system, we can see that companies often use the preinstalled tool BitLocker. An advantage of BitLocker is that it is generally possible to make the system encryption fully transparent, by using a hardware device called Trusted Platform Module (TPM). Due to this approach the user is not influenced in the everyday work.

Further BitLocker offers the possibility to increase the security by using an additional password. This will be requested when the operating system is started.

However, a big disadvantage of BitLocker is that the feature is not available within Home version of windows. This is the default version for private user. In order to make the encryption technology accessible for everyone, Microsoft has introduced a feature called Device Encryption since Windows 8.1. With this feature, it is possible to encrypt operating system drives in the same way as BitLocker. However, Microsoft has imposed some restrictions. In addition to extended hardware requirements, it is not possible to request an additional password when starting the operating system. Furthermore, the so-called recovery key, which can provide full access to the encrypted drive, is stored compulsorily either in a connected domain or via a Microsoft account at Microsoft. However, the first case only occurs in few cases for private users.

So, we can see that the two big operating system manufacturers in the notebook segment basically offer solutions that allow to encrypt the stored data. However, all of the solutions presented so far have a considerable disadvantage from a security point of view: They are not open source.

This means that the actual functionality and mode of operation of the tools is only known to the manufacturers themselves. External parties cannot easily check the source code. A general publication of the source code would enable experts to review the code and find possible implementation errors or security gaps and report them to the manufacturer. Furthermore, it would also be transparent to the outside world how the programs proceed and speculation about technically possible backdoors would be ended immediately.

Accordingly, publishing the source code would not only increase security, but also inspire confidence among users.

To overcome this problem, there is an increasing amount of third-party software that replaces the functionality of FileVault and BitLocker and tries to bring transparency into the field of encryption software through source openness. One of these applications is a program called VeraCrypt. What advantages VeraCrypt offers and what e2 Security has to do with it will be the subject of the next article of this series.

NEXT PART

In the last article of this series, we looked at the different encryption systems that Microsoft and Apple offer to their users to encrypt data on mobile devices. We noticed that although implementable solutions are offered, there is one fundamental disadvantage: all solutions offered are so-called closed-source solutions. The source code remains with the manufacturer and is not made publicly available.

Although this approach offers a good opportunity to protect the intellectual property of the manufacturer, it has some disadvantages from a security point of view. For example, it is only possible for experts to check the implementation of the encryption algorithms to a very limited extent and to detect possible implementation errors at an early stage.

Third-party providers such as VeraCrypt are addressing this issue by offering independent solutions for encryption. One of these alternative solutions that is widely used in specialist circles is the VeraCrypt software. The goal of VeraCrypt is to provide a free open-source application that allows users to encrypt all kind of data on their devices.

Even though VeraCrypt sounds like the perfect solution, the usability of the application is not very handy for the average user, and it is therefore challenging for non-experts.

VeraCrypt was developed by IT security professionals focusing to overcome the before discussed security challenges. In consequence the usability of the solution was not a priority. To be as flexible as possible and to adapt the solution to one’s own needs, the developers offer numerous configuration options during the setup process. These range from the selection of the encryption algorithm to the selection of the hash algorithm to the selection of the so-called Personal Iterations Multiplier (PIM).

For experts, this diversity represents an opportunity to adapt the implementation to their own needs in the best possible way. Average users, however, are often overwhelmed with the selection of the correct settings and the technical descriptions. In order to make the software and thus also the use of free open-source encryption software usable for the broad masses, it is therefore necessary to increase the usability.

e2 Security, a professional company for cybersecurity and digital transformation programs, wanted to leverage the usage of VeraCrypt as best available open-source solution for encryption on the market and decided to support the further development of VeraCrypt project. In collaboration with the Ruhr-University-Bochum, e2 Security developed a revised user interface to increase the user experience by the set-up process on the configuration of security default settings. The user interface has been fundamentally re-designed and eased up to increase the user experience and usage by average users. The goal could be achieved by the great collaboration with the University and the consideration of research results in the areas of security and usability. Now, even non-technical users can set-up the required settings to complete the process successfully and with minimal effort. For this purpose, possible secure selections were predefined, and corresponding menus restructured. In order to keep the strength of VeraCrypt, an advanced options menu was introduced, which continues to provide the familiar customization options for experts. Thus, in our proposal to further develop VeraCrypt, we managed to significantly reduce both the complexity of the setup wizard while shorten the set-up process significantly.

VeraCrypt basically distinguishes between three different types of encryption:

  1. the encryption of operating system drives
  2. the encryption of non-operating system drives
  3. the creation of encrypted containers for individual files and folders

Because of the scope setting, we started to simplify the usage for the encryption of operating systems disk first. As soon as the new solution will be available for all users, we will investigate, if the new process will be accepted by the community to further simplify all other encryption options within VeraCrypt.

We, as e2 Security, are firmly convinced that two components are always required for a successful security measure:

First, a technically effective and secure implementation is mandatory. Second, the solution must be simple to use for the end users with little effort. The goal must therefore be to develop applications such as VeraCrypt easy and as simple as possible for everybody, to increase the user acceptance.

e2 Security would like to thank all those who supported the project. We would like to thank Pius Ganter for his preliminary work within his master thesis. Further we would like to give special thanks to Mounir Idrassi from the VeraCrypt Project, as well as, the Chair of Human-Centered-Security at the Ruhr University in Bochum, which provided us with the latest knowledge on user experience in the area of security and significant support in the implementation of the project.

An official pre-release version of VeraCrypt including the new interface is now available at: https://github.com/veracrypt/VeraCrypt/pull/957 . We are happy to receive any kind of feedback.

VeraCrypt | Part 1/2

Imagine following day-to-day situation…
You are on a train on your way to work. Once the train arrives at your station, you leave the train. While the train leaves, you realize, that you left your bag at your place within the train.

These or similar situations happen every day and may have happened to one or the other of us.

With the loss of your bag there is loss in the form of material value and non-material value.

However, due to the ever-increasing integration of digital devices into the everyday life, it is very likely that there is another cause of damage:

The damage due to loss of data!

Your bag may contain your personal or business laptop, tablet, smartphone, USB stick or any other item with digital information. Each of these may contain sensible data. This can be vacation photos, chat histories, browser data, emails or documents or many more.

With the loss of your bag, these data can potentially be seen, or even misused by anyone. It is important to note that this is not necessarily a targeted attack against you as the owner of the bag. But a random finder of your personal bag might take a look at the stored data out of sheer interest. The impact of data access can range from minor disruption to the leak of confidential business data.

In recent years, there have been increasing reports of data loss in companies due to stolen or lost devices. Unfortunately, there are limited statistics available. However, no scientific research can be conducted. Nevertheless, this correlates with expectations, since the number of digital devices is rapidly increasing.

Since it is not hundred percent possible to conclusively prevent device loss, companies, as well as individuals, must address how to protect data in the event of a loss of devices. Specifically, this means that it must be ensured that data can only be accessed by the authorized individual, even if a potential attacker gains physical access to the device.

What can we do?
User passwords on computers or user PINs on smartphones are already widely used solutions for protecting data from access by unauthorized persons. This type of security measure ensures that when the device is switched on, a login must take place before access is granted to the stored data and the device’s functions. In this way, a user can protect himself from prying eyes if the device is unattended for a short time.

However, if an attacker has undisturbed physical access to a device, it is still possible to view or modify the data stored on such device. Technically, a user password or user PIN is a protective measure in which the installed operating system restricts access to the stored data. This measure can be circumvented by starting a different operating system or by removing and reading the hard drive on another computer.

It should be noted at this point that a user password or user PIN is by no means a superfluous security measure, but merely protects against a different attack scenario.

At first glance, booting another operating system may sound technically complex. In practice, it can be done by lay users within a very short time without any special tools. Appropriate instructions can be found easily after a short search on the Internet.

For the situation, described in this article, this means that it is very likely that a random finder, even without a technical background, tries to extract the information on that device.

Due to the small amount of effort involved, it is even quite realistic that this finder has no criminal intentions whatsoever but would like to look at the stored data out of pure interest or with the intention of finding out the owner of the device. But information found by chance could arouse other desires.

In the following articles, we will look at how you and companies can protect the data on mobile devices in the event of a device loss. We will look at the technical challenges and present methods and tools that can be used to protect your devices and data.

PART 2

In the first part, we introduced which risks can arise for the data on mobile devices if the devices are lost or stolen. We found out that reading out data is generally not a problem for anyone, even if they have little IT knowledge. Mistakenly, it is often assumed that user passwords protect against this attack.

To understand this fact, we need to look at how the authorization system of an operating system works. Imagine an archive of documents. Since some documents are sensitive, each document has a label indicating who is allowed to read the document. As soon as a visitor wants to read a document, he contacts the archivist and presents his ID card to prove his identity. Once the archivist has checked the identity, he checks the label on the document to find out if the visitor is authorized to read the document and in case of eligibility, he hands over the document.

The situation is comparable to the situation with computers: in addition to the actual data, each file and folder also contains an attribute that specifies which user is allowed to open the file or folder. To identify a physical person as a specific user, a user password is used, which only the owner knows. Once a user is logged in, he can now access the file or folder. Based on the attribute specifying the allowed user access, the operation is continued or denied.

If we look back at our analogy with the archive, we see that security is entirely dependent on the archivist. This person must be trustworthy and must adhere to the specifications of the label. The documents themselves are not physically protected, for example by being locked away.

And this is exactly the problem with user passwords. They are just there to allow the operating system to associate a physical person with a digital user. The security of the files now depends on whether the operating system allows access or not. The password itself does not protect a file but only the identity of a digital user!

But what happens if we bypass the archivist in our example by walking past him in an unnoticed moment? Well, we simply take the documents out of the rack and ignore the labels. And this is exactly what we can do in the technical field as well. We do not have to query the data from the installed operating system if we bypass the operating system. So, similar to the stickers, the attributes can simply be ignored, and the data can be viewed.

To achieve this, it is sufficient either to plug the hard disk into any other computer or to start another operating system on the computer, which is stored on a USB drive, for example. Back to our original scenario: if you lose a mobile device or if it is stolen, a third person has just to use one of these two possibilities to gain access to the stored data in a few minutes if only a user password is used.

So how do you protect yourself from this? In our analogy, the answer is simple: the archivist must lock the documents and no one else may have a key. So even if we achieved to bypass the archivist, we would stand in front of a locked door protecting the secret documents. This way, the archivist could make sure that we only receive the documents that we are allowed to see.

And that’s exactly the solution in the digital domain: we have to lock the files away when the operating system is not started. This way, the access control can no longer be bypassed if third parties want to gain access to the stored data.

In the technical realm, “locking away” is implemented through encryption. Data is not simply stored on the hard disk but is modified beforehand by mathematical methods in such way that a key is required to restore the original state. Since this key is only passed to the installed operating system when it is started, it is not possible to read the actual data via another computer or operating system. This protects us from third parties being able to read the stored data.

So, a user password only helps to connect a physical person with a digital user, but it does not protect the data itself. To protect ourselves from data access by third parties, it is necessary that we encrypt our data and only pass the key for decryption to the operating system at startup. This ensures that the operating system’s own authorization management can take effect.

In the next articles in this series, we’ll put this theory into practice. We will take a look at which programs can realize this encryption. We will also look at the advantages and disadvantages of the programs and what effects the use of encryption technology has on the user experience.

The next part will be released on September 22, 2022!

Business and IT: Like Cain and Abel?

Appropriate IT solutions are crucial for the success and security of a company. But how is it that often the IT department is the scapegoat of companies? Almost every department is concerned with strategic planning, long-term goals, measures that are coordinated with each other, and of all things, IT seems to be going haywire. Quick solutions are needed, driven by digititalization pressure triggered by the pandemic, which is giving departments a good run for their money.

“Our IT is not getting off the ground!” or “The IT solutions don’t fit at all” – these or similar statements are often made by friendly colleagues from other departments. From the business perspective, in-house IT is often too slow, does not implement new requirements and presents a patchwork of solutions. IT, on the other hand, sees itself as the driven one, little supported and taken seriously, and in times of pandemic and war, even more pressured and constantly forced to move. Added to this is the budget pressure. Where does this discrepancy in perception come from? Historically, the answer is. This attitude comes from a time when IT was merely a technical service provider for the employees, and this attitude should be urgently revised so that there is better cooperation for the sake of the company’s success.

This is because the company’s own IT represents the link between business and technology within the company. It is therefore an essential component in the development of corporate strategies and business areas based on new technologies and thus also has an increasingly strong influence on value creation. Improving communication and understanding between business and IT is fundamental and indispensable for successful business models that are adapted to the needs of the market.

New thinking for IT
Old thought patterns must be abandoned in order to embark on a sustainable and strategic development in the right direction,. Start-ups with digital business models, whose approaches can be applied to the ways existing companies function, can serve as a model for this. Startups view IT as a driver whose performance is not measured in terms of saved costs, but rather in terms of the innovative power it delivers. The thought-provoking impulses provided by this IT are highly relevant to the core activities of the company, agile in conception and focused on business-oriented implementability. Away from being a pure service provider and computer nerd to a respected department that does not generate costs, but helps to run a successful and progressive business.

We are against any form of violence and war

The employees of e2 Security stand by our friends in Ukraine.

We as a company are for the protection of any life . We are against any form of violence and war.

Our employees also have family and friends in Ukraine.
With horror we follow the events of the last days. The aggression against a country and its citizens who want to build themselves a future in freedom, we also condemn in the strongest terms.

We ourselves have experienced the people of Ukraine as friendly, open-minded who are proud to build a life in freedom.

For some of our employees, memories also come back to them when they saw family, friends and comrades die during the war in Yugoslavia. We know how our friends feel right now, fighting a heroic battle against an overwhelming aggressor.

Our thoughts are with all the brave people in Ukraine , the Russian citizens who bravely stood up to these attacks and for all those who have to bear the cost of a senseless war.

We as e2 Security stand by the people of Ukraine, our friends and their family.

#StayWithUkraine #StopWar #StayTogether

HTTP Verb Tampering

When testing web applications for security flaws, the applications’ handling of different HTTP request methods – also known as verbs – should be considered.Usually, interactions between clients and servers utilize the HTTP methods GET or POST for accessing resources.

Digital transformation requires a solid cyber security

During and after my studies of business administration I worked in different areas and companies. Most recently, almost 5 years in the corporate development/strategy of a semiconductor company with a big focus on automotive applications. During my master’s studies, I mainly focused on entrepreneurship, innovation management and digital topics. That’s why I wrote my master thesis about digital business models. Since August this year I’m working as a consultant in the areas of cyber security and digital transformation and to be honest I’ve more questions than answers after the first weeks.

Phishing: These are the most popular tricks

For criminals and fraudsters, personal data of Internet users is always very desirable. In many cases it allows access to credit cards, bank or online accounts.

Phishing, i.e. obtaining other people’s personal data using fake e-mails or websites, is a popular method of doing this. The following is an overview of the most common methods:

Clickjacking

What is Clickjacking?
Clickjacking takes place when a fraudster sets up an overlaid website interface and steals clicks on that fake website to then use it on a real site. Users come across these illegal overlays by chance and assume that after filling in a field, clicking a link, or entering their passwords, they’ll get access to what they see in front of them.

What is KRITIS and who does it affect? 

In Germany, special regulations apply to operators of critical infrastructures under the Federal Office for Information Security / Bundesamt für Sicherheit in der Informationstechnik (BSI) Act. But who counts as an operator and when are infrastructures classified as critical?

Hard Coded Credentials for Dummies

Hard Coded Credentials for Dummies

or

How to not unknowingly, accidently and unconsciously reveal all your passwords and secrets to bad people

Credentials or passwords are the integral part of online and software world. In the simplest example they are the key protecting your “online house” such as Instagram, Facebook, email, etc.

Who is Hacker’s favorite?

How well is my company positioned when it comes to cybersecurity? Are we way ahead of the game or do we have one foot in a major security hole… these are questions that IT managers often ask themselves. New screenings provide some surprising answers.

The case for flat networks

Flat is trendy.  Flat rates, flat hierarchies, flat iron steaks and even a flat earth, but a flat network?  That is a real no-go nowadays and already for a long time.  Anyone in the business of enterprise network design knows by that a flat network design is just begging for trouble at many levels and layers.

Safety First! Cybersecurity in times of Corona

For more than a year now, more people worldwide have been working from home offices than ever before. 

The digitalization of the home has been turbo-charged, but the digital connection to companies has often been more poor than good, primarily in a hurry, so that everyone can continue to work and earn money quickly. But those which cobble together hurriedly open the door to danger from the web.

SolarWinds – The comprehensive review

In early 2019, hackers secretly broke into Texas-based SolarWind’s systems and added malicious code into the company’s software system. The system, called “Orion,” is widely used by companies to manage critical IT resources.