In this episode of Infosec’s Cyber Work podcast series, host Chris Sienko speaks with Ted Shorter. Ted is co-founder and CTO of Keyfactor, a computer security firm. He has worked in security for over 20 years, with a focus on cryptography, application security, authentication and authorization services, and software vulnerability analysis. His past experience includes a master’s degree in computer science from Johns Hopkins University, active CISSP certification and 10 years at the National Security Agency (NSA).
As a computer scientist and team lead at NSA, Ted briefed high-level government officials, including presidential advisors and members of the Joint Chiefs of Staff. Ted also served as lead software developer on a contract with the Department of Defense to integrate biometric authentication with the DoD Common Access Card program. Ted lives in Akron, Ohio with his wife and two sons.
Ted and Chris talked about a recent Keyfactor report, the danger of so-called “predictable randomness,” the raw work of cryptography in keeping devices like these safe, the importance of building security into their devices during design and development and some career advice for those who might like a career in cryptography.
What are some of the signposts or foundational experiences of your career?
A big piece of Ted’s foundational experiences center around problem-solving, and it is one of those things you are sort of born with. In terms of his professional history, it really started to take off when he joined a consulting firm called Certified Security Solutions in 2003. It was a boutique consultancy that spent a lot of time talking to clients about security strategy.
During this time, Ted worked a lot with digital certificates and public infrastructure. Certified Security Solutions focused on identifying unmet needs of customers regarding products and implementation. To this end, they created a small, lightweight tool that customers began buying in substantial numbers. Around 2008, they pivoted towards more of a software company, and in 2014 they became Keyfactor.
Did you fall into being a cryptographer?
Ted does not consider himself a cryptographer. A lot of people try to do it, but there are only maybe a dozen world-class cryptographers in the world today. Real cryptography is when you can show an algorithm to the world but still no one can break it. What he thinks is far more useful to an organization is having a cryptographic expert around because they know how to apply cryptography the right way (to be blunt).
Another route an organization can take is having a cryptographic center of excellence. In terms of Ted’s past experience and current role, he works more with cryptographic analysis. An interesting thing about today is that the IoT trend pushed the need for this knowledge to engineers, developers and others, which is a new development.
Keyfactor recently published a research report showing that many of the IoT and network devices in use today are leveraging weak digital certificates, and that 1 in every 172 digital certificates are vulnerable to attack. What does this mean exactly?
Before answering this question, Ted gave credit to his colleague J.D. Kilgallen who took a rather large data set. He used software Keyfactor made, which can scan networks and gather digital certificates being used on the network, and aimed it at the entire internet at large. It scanned all public websites and devices on them.
This took between one and two years to complete and gathered 82 million digital certificates. It found that 1 in every 172 were vulnerable and were able to break half a million of them!
Something interesting they found was that some of these constrained devices have trouble generating keys that are random enough. This means that they can be exploited.
What does this high number of insecure digital certificates mean for attack surfaces?
In terms of consumers, Ted thinks this underscores a bigger problem with IoT in general, design and cryptography. If you use what has been used before in terms of cryptography for more familiar devices such as Microsoft and Apple, constraints make it so that these devices cannot communicate as well as they should, which can lead to cryptography that is easy to break.
If this problem were somehow solved tomorrow, how different would the landscape look in terms of options and availability for hackers?
This would drop it to zero. The random numbers that can be created today would take the best computers years to break them. However, with weak cryptography and overlap, they have been easier for attackers to guess.
Tell me about the ramifications of these insecure digital certificates being used in the IoT for firewalls and firmware.
If you know the cryptography a firewall uses, you can use man-in-the-middle to see what communications are going back and forth, including credentials and passwords. This is serious.
In terms of firmware, at Keyfactor they work with code signing. Recently, the FDA mandated new guidelines around updatable firmware. They have customers that are signing the firmware updates for everything from insulin pumps to airplanes, and if you think about the ability to fake updates like this, you can imagine the ramifications if hackers get their hands on them.
Tell me more about the difference between the different types of jobs around cryptography?
A true cryptographer is literally inventing algorithms with a skill level that will get adopted by standards. For example, AES became what it is when NIST used it as a challenge scenario to submit algorithms to see if they can withstand that level of security.
The people who play in this space are incredibly good at math with a deep expertise in computer science, analysis of algorithms, and what can and can’t be efficient on a computer.
For the “second tier jobs” (which Ted says he is in), in terms of understanding, you have to know how it works and how to put it together so customers don’t make mistakes. These jobs are similar in terms of math but are down a notch in terms of what is demanded.
What you do varies with these jobs, and at Keyfactor, they are a product organization that makes good products and makes sure they are secure. Their customers need experts who can understand all these things, and being able to explain how things affect their organization is something that is demanded of people working in these jobs.
What does predictable randomness mean?
If the size of the numbers we are talking about is large enough, and a large part of the game Is to have a large enough key that even the most powerful companies can’t guess all the possible keys. Let’s say they don’t have to guess all of them because something has been figured out, such as a large enough part of the keys; in this case, the keys are therefore not random anymore and they become easier to guess. True randomness is difficult because computers are designed to be predictable by their nature.
What many do not know is your devices gather entropy about your randomness and how you interact with your device, which can be observed by the computer and added to its entropy. For example, whenever you connect to Amazon, your computer makes a key to encrypt the connection to make it secure if these keys were not random.
So what things are master cryptographers doing to make it random and to take out patterns?
Ted thinks you have to look at the system as a whole because it is rare that an algorithm falls over. More often, it’s the implementation of an algorithm where things go awry. For example, the RSA algorithm is still secure but if you use predictable keys, it doesn’t matter how secure it may be.
A lot of this comes down to designing things in a secure way. For all things IoT, looking at it as a system, looking at the attack surface, what you are worried about and controls, as well as defense-in-depth and design principles, have to be taken into consideration to make its state of security mean something. It is a rare skill set that is hard to do right, but it is in high demand.
For those out there in a job they don’t like, what are some things you can do to put yourself on the path to cryptography?
Education is a big part of understanding some of the principles at play here. It is a mix of computer science, security and design. There are college courses that can help but there is no substitute for hands-on experience such as taking things apart and understanding how to break things. The more knowledge you can gain in this regard, the better.
For those in school looking to take their first classes and get an inside track in cryptography, what classes should they take?
Math is a big one, and some schools are even offering some level of computer security courses which can vary in how useful they are regarding cryptography. Students should research things that interest them, such as white-hat hacking, securing things or how to break into them. At every part of the path all the way up, there needs to be a mindset of how would a hacker break in?
Can you lay out a strategy to start stitching up security errors?
We are starting to see regulatory guidance where it is needed, such as with air travel. If you are designing a device and it is not expensive, the economics of hiring experts or even just pentesters add to the cost of the device, thereby driving the price up. This is compounded by the fact that customers will buy a product and assume it is secure when it may not be.
The nice thing is when it really matters, such as with automobiles and medical devices, there has been a rise in awareness about how to make things more secure. The more they share these practices, the better things will get regarding security.
Another thing that is happening is that new devices being developed will not be incorporated into a product such as an automobile for three to four years, after which the car may be on the road for another 14 years.
Is it really prohibitively expensive to root this problem out?
It is prohibitively expensive, but if you get towards smaller consumer devices, there have been a lot more hacks. This is because that is where cost comes into play, meaning that security has most likely taken a back seat.
What are some recommendations to make future IoT devices more secure?
In general, if you do not initiate if on your own, it will be legislated for you. You should get ahead of this on your own so that you are not at the whim of regulatory legislation that is happening with or without you.
What are some things we will see in five years?
Things will get worse before they get better. Whenever we see disruptive technology emerge (such as internet, cloud computer and mobile), the pace of adoption of these technologies outpaces security. We are currently at the point with IoT that security has to catch up. Following this, there will never be universal security for devices.
Tell me about some projects ahead for Keyfactor
Keyfactor has done a lot of work in the large enterprise space for a long time, and the use of disruptive technology and the use of cryptography is expanding with an increased need for people who understand it. For IoT, we need to secure connected devices, especially self-driving cars and planes as we all have vested interest in these things working for our own lives’ sake. Keyfactor takes pride in doing this and helping companies.
How can viewers find out more about you?
Ted can be most easily connected with on social media and LinkedIn, so if you want to find out more about him, simply reach out.
In this episode of Infosec’s Cyber Work podcast, host Chris Sienko spoke with Ted Shorter about cryptography careers, IoT vulnerabilities (such as the fact that 1 out of every 172 digital certificates are vulnerable), and more about the in-demand computer security skillset, cryptography. Stay tuned for more captivating episodes of Cyber Work. And click here to watch this episode with Ted Shorter.