Encryption, Encoding, and Hashes, Oh My!

Maybe it's because many people have entered the cybersecurity field in the past few years, but I've been seeing basic security terms used incorrectly lately. As security professionals, we need to have a good handle on the fundamentals to communicate clearly and build trust. Some terms can be confusing at first blush. With this post I'll explain, at a high level, a few basic terms like encryption, encoding, and hashing that often get mixed up.

But first, let's talk about the CIA. No, not the Central Intelligence Agency. The CIA I'm referring to is Confidentiality, Integrity, and Availability, also known as the CIA triad. The CIA triad was pounded into my brain when I first got into application security and has stuck with me ever since. It is a fundamental concept everyone in cybersecurity should understand. When a vulnerability is exploited or a cyberattack is successful, it will negatively impact one or more of these areas.

• Confidentiality means preventing data from being accessed or viewed unless it is properly authorized.
• Integrity means protecting data against unauthorized changes. Without integrity, data is untrustworthy.
• Availability means access to data and systems is maintained. A denial-of-service (DOS) attack aims to prevent or reduce availability.

Now let's dive into encryption, encoding, and hashing.

Encryption is typically used to protect confidentiality of data and often the integrity of data as well. Encrypted data is also known as ciphertext and it looks like gibberish to the human eye. The one thing that should always jump out to you when you hear the word "encryption" or "encrypted data" is that the data can be decrypted. Decrypting data means you're reversing the encryption. Decrypted data is also called plaintext or cleartext.

Data becomes encrypted by running it through an encryption algorithm using a key. A key can be a random string of bytes or a password of a certain length. There are two main encryption types - symmetric and asymmetric. The main point to take away is that symmetric encryption uses the same encryption key for encrypting and decrypting data while asymmetric encryption uses a pair of keys, a public one and a private one. With asymmetric encryption, the public key is used to encrypt data and the private key used to decrypt the data. If you see the term "public-key cryptography" or "public key infrastructure", it means that asymmetric encryption is involved.

Some common symmetric algorithms include:

• AES
• 3DES
• Blowfish

Some common asymmetric algorithms include:

• RSA
• ECC
• PGP

Encoding involves running some data through an algorithm of some sort. Encoded data is not secure and should never be called encrypted data (even though it often looks like gibberish to humans). It offers no protection when it comes to the confidentiality, integrity, or availability of data.

There are many different types of encoding, such as:

• Base64 encoding
• HTML encoding
• URL encoding

Encoding does have valid and useful purposes. HTML and URL encoding are indispensable when it comes to web browsers and web applications. Base64-encoded data is represented with standard ASCII characters, so it's perfect for sending images or other binary data over a text-based system like email.

Here's a Base64-encoded string as a example: 

    QXBwU2VjIGlzIGZ1biE=

Keep in mind that if you see an equals sign (or two) at the end of a string, that's a strong indicator that the data is Base64 encoded.

Hashing means that data is sent through a one-way, irreversible algorithm. It becomes gibberish and unreadable to the human eye. No one should ever talk about "reversing" or "decrypting" a hash value. It can't be done. There is no encryption key. You can, however, try to crack a hashed value (a hashed value is often just called a "hash"). Cracking essentially involves a big table of lookups and there are many cracking tools available to help with such things.

Common hashing algorithms include:

• MD5 (old and not secure)
• SHA-1 (also not considered secure anymore)
• SHA-2 (includes SHA-256 and SHA-512 among others)
• Argon2 (considered best for protecting stored passwords)

Finally, if you ever need to hash some data or want to encode or decode some data, take a look at this nice online utility. Use it to decode the example Base64-encoded string above!

I hope this article has been helpful to explain one tiny part of the cybersecurity ecosystem.

(This post first published as a LinkedIn article)

Software Supply Chains and Security Challenges

 

Recently I took part in a panel discussion and the topic was securing the software supply chain. It's a hot topic in cybersecurity right now. To prepare for the panel, I decided to look at changes in software development practices over the last decade and how supply chain risks have emerged because of those changes.

Four areas of change came to mind.

1. Digital transformation

A remarkable increase in the pervasiveness of software has occurred.  It was 11 years ago that Marc Andreessen said that software is eating the world.  It's even more true now. Every company is now a software company.  Recently, my wife and I wanted to see the new Top Gun movie. We used Cinemark's mobile app to review showtimes, reserve our preferred seats, pay for the tickets, and scan a QR code upon arrival.  Before digital transformation, Cinemark just showed pictures on a screen and sold popcorn.  

2. Faster time to market

Businesses today need software and applications developed and released quickly to stay relevant and gain a competitive advantage. The need to move faster drove innovation in software development. New practices, technologies, and toolsets came onto the scene including:

• Agile development methodologiesDevOps processes
• Cloud, containers, and IaC
• CI/CD tools to automate builds & deployments
• Microservice architectures

These innovations improved time-to-market, but have also introduced complexity and new attack vectors.

3. The rise of open source software

According to Veracode's State of Software Security (SOSS) report, open source code makes up a large part of an application's codebase.  It's up around 95% for a Java-based application. This led Chris Wysopal, Veracode's CTO and co-founder, to state:

    "In many respects, development teams have shifted from writing software to assembling software."

It is the job of a package manager (e.g., Maven for Java, NuGet for .NET, npm for Node.js) to perform the nitty-gritty details of assembling software, and this includes the complex process of managing direct and transitive dependencies. Package managers generally pull from centralized, public registries where thousands of open source components are hosted and shared. This opened up novel attack vectors, like dependency confusion.

 4. Shift to microservices & APIs

The move away from large, monolithic codebases has accelerated in the last 3-4 years. With microservices, software is broken into smaller, independent parts with communication happening via APIs. This allows for more scalability, flexibility, and resilience. Your organization likely consumes the APIs of service providers and other vendors. As such, they are part of your software supply chain. Poor API security is estimated to cost businesses $75 billion annually. In fact OWASP in 2019 by published a Top 10 list dedicated to API security.

Considering these dramatic changes over the last decade or so, it becomes more clear why supply chain attacks are in the news. The bad guys are still scanning systems for open ports and probing web applications for vulnerabilities. Now they are also looking to compromise CI/CD environments, insert malicious code into open source packages, steal cloud provider access keys, hack into APIs, and exploit known vulnerabilities in 3rd-party libraries. They look for weaknesses in your software suppliers too. Any software your company develops, consumes, invokes, or leverages in any way is fair game in the mind of cyberattackers.

 

Let's look briefly at two very different software supply chain incidents.

SolarWinds 

SolarWinds is a provider of IT management & monitoring software called Orion. A sophisticated and carefully-planned attack was executed in 2020 where the automated update process for Orion was compromised. Customers who updated their Orion software inadvertently gave the attackers backdoor/shell access to their environment. Up to 18,000 organizations were victimized. SolarWinds said their "software build system" was hacked to insert malicious code.

Log4Shell

Log4Shell is a vulnerability in a Java open source library called "log4j" that was discovered in December 2021. It's been called the single, most critical vulnerability of all time. Not only is it extremely severe (CVSS score of 10.0), it's easily exploitable and very widespread. It was found that 93% of cloud enterprise environments were vulnerable. The vulnerability sat unnoticed in the log4j library since 2013. Organizations around the world were thrown into panic mode scrambling to find where the vulnerable library was being used and quickly patch.

These two incidents are radically different in nature, but both have their roots in the software supply chain. The SolarWinds attackers targeted software supplied to thousands of organizations. It appears they infiltrated the supplier's CI/CD toolset to insert their own scripts and take advantage of automated DevOps processes. On the other hand, Log4Shell was not a sophisticated nation-state hack, but vast numbers of organizations were impacted because of a reliance on open source software.

There is no one solution or tool to secure the entire software supply chain. There are some "no-brainers" available today to help, like scanning your applications to identify vulnerable open source components. I recommend Veracode's Software Composition Analysis for this. Auditing your CI/CD build systems for access control and integrity is another good step to take. Software bill of materials (SBOMs) is an initiative gaining momentum as well. It will be interesting to see how this area of cybersecurity evolves in the next few years.

(This post first published as a LinkedIn article)