- Facebook admits 50 million user account were compromised in the “View As” attack
- Study finds 3,675,000 Australian office workers have done something which could potentially lead to a data breach
- Australian company has technology to generate a billion random numbers per second
Nearly 50 million Facebooks accounts were hacked on Friday.
In 2014, up to 100 million JPMorgan customers had their private data compromised.
In 2017, it was three billion Yahoo customers.
And in Australia this year, hundreds of thousands of Australians who entrusted their personal information to a corporate website when applying for a job online may have lost their private data to the PageUp hack.
It’s obvious that stealing your online lives is just getting too easy for the bad guys. And it’s going to take a few more years yet before big business and governments get the upper hand back – maybe.
Like any security, data security fundamentally relies on locks and keys.
If you want the government, Facebook, your banking app or Medicare to use or send your data securely, you’re hoping that data will be encrypted while it’s in transit between you sending it, the company you give it to, and the cloud operators and third parties they share it with.
Encrypted means “all jumbled up”, and in even more basic terms, picture that encrypted data is sent in a locked briefcase. A key has to be sent separately for it to be unlocked and the nonsense inside to be decrypted back into sense at the other end.
If it’s intercepted, and someone wants to unjumble it, they need that key. You’ve probably seen this in movies.
Way back in 1977, someone estimated it would take 40 quadrillion years to break the encryption on a 426-bit RSA key.
In 1994, they were wrong by whatever 40 quadrillion years minus 17 years is equal to.
And since then, the war between the people who encrypt, and the people who try to break encryptions, has increasingly waged at the kind of exponential levels you’d expect at, well, a tech industry to wage at.
Here’s the latest weapon:
It’s the world’s fastest true random number generator, made by Australia’s QuintessenceLabs. That’s Vikram Sharma, QuintessenceLabs CEO, holding it in a fascinating TED talk he gave earlier this year.
Cloud providers, banks, and security agencies all around the world use it because they like the way it measures quantum effects to produce a billion random numbers per second.
Random numbers are crucial when it comes to properly secure encryption, because the first thing anyone or anything looks for when it’s trying to crack a code is a pattern.
When you were at school and perhaps lucky enough to have been there when teaching about such things as the Enigma code was considered important, you’ll understand that.
A very simple version would have been to figure out that highlighting every fourth letter in a string of mumbo-jumbo reveals words that make sense.
The modern version belongs to “Alex”, the Russian programmer who recorded Australian-made slot machines around the world because he realised the payouts – eventually – followed a pattern.
Some clever reverse-engineering let “Alex” know when to play, and win. Sometimes up to $250,000 a week.
The slots were run by algorithms using “pseudorandom” numbers, generated mainly through software. It’s a fascinating science, if you’re into that sort of thing, because other methods of drawing down truly random numbers include wacky stuff such as recording nuclear decay, the movement of clouds and birds, or bursts from a quasar.
“You can do that and it’s a perfectly good source of random numbers but it’s not very practical to have a nuclear source in your data room,” Quintessence Labs CEO Vikram Sharma says.
“Not very practical. So what we measure is a quantum effect, and that random number generator and we’re able to convert that at very high speeds to a stream of true random numbers.”
“What we’ve been able to do is come up with these very unique diodes called tunnelling diodes and use them in a very interesting way to leverage this effect which occurs right down at the most fundamental level of nature.”
How to generate a true random number
Basically, it’s as impossible to visualise as it is to crack. Something about how in the quantum world, a certain type of particle in a group of particles can’t cross a certain type of barrier formed by a certain type of electronic diode.
Except that sometimes, maybe unpredictably, a certain type of particle does cross the barrier – by “tunnelling” straight through. How many of the particles, and when they do this is completely random.
QuintessenceLabs found a way to count them and use the results to build its true random key generator, which goes a long way toward solving the weakness in cryptographic keys generated using software algorithms as is done in almost all cryptosystems today.
But wait, there’s more. Those random keys need to be secretly shared to be of any use, and the quantum world makes it possible to do so extremely securely. Sharma, excellently, chooses to use James Bond to explain how that works.
Nowadays, it’s not good enough to just send the code to Bond using conventional transmission techniques. We can use quantum effects on a laser to carry the code over standard optical fibre, but if Dr No tries to intercept that transfer, QuintessenceLabs’ technology can see his fingerprints on it.
That’s because just looking at a quantum particle changes its nature.
“So if I’ve encoded an encryption key and I’m sending it to you on a highly tuned laser, if somebody tries to intercept it while in transit, you and I will know and hence, we’ll discard that key,” Sharma says.
The potential decryption key for the information is tossed out immediately, and a new one generated. Sharma says that means no quantum computer or any future supercomputer will be able to break it “because it’s based on the fundamental laws of physics”.
So, we move from pseudorandom number generators (PRNG) – generated by software – into the realm of quantum random number generators (QRNGs), and quantum key distribution (QKD). And all this is able to resist the strongest of attacks, even those only possible with the development of quantum computing, which is likely to be realised at a practical scale well within a decade.
It’s such a big deal that the US National Security Agency has launched a challenge to find algorithms which they believe will be strong enough in the face of a commercial grade quantum computer.
You can bet there’s some significant IP out on that. About a third of Quintessence Lab’s employees have PhDs and a large balance of them come with commercial expertise.
It is a very large piece of Australian genius fitted into a small PCI card which can be plugged into a standard computer. The kind of genius that we’ll probably one day list in Aussie Innovation lists alongside the bionic ear and Victa mower.
In part because of it, the World Economic Forum in June gave Quintessence Labs one of two spots for Australian companies in its global list of 60 of 2018’s Technology Pioneers.
“It really is designed to operate at an enterprise scale,” Sharma says. “But moving forward, with miniaturisation and bringing the cost down, we’ll expect adoption into the SME sector.
“It’s probably only three years away or so.”
Nearly 4 million risky Australians
The problem is you can lose a lot of data in the next three years. Australians are among the worst offenders when it comes to looking after their own data, and were recently ranked fifth in the world for data breaches for 2018.
That’s backed up by QuintessenceLab’s own survey of 300 businesses and more than a 1000 people in May which found that:
- 3,675,000 Australian office workers have done something which could potentially lead to a data breach
- 49% of Australian office workers have performed careless acts that make a company’s data more vulnerable such as reading a sensitive email accidentally or using a weak password, and
- 38% of Australian office workers have committed more serious offences including such as taking confidential files out of the office on a USB or sharing a password with a colleague
They are alarming figures in anyone’s book. And data breaches the likes of what have been suffered in recent years by corporate monoliths such as Target, JPMorgan and Yahoo – and now Facebook – can cost well into the billions.
Sharma believes we’re dicing with the potential for massive global breaches “to ravage the world economy”. Not to mention rig elections.
And now you can add to the mix billions of smartphone users casually handing over their biometric data to giant tech corporations. Finger, face and iris prints which not only unlock our phones and computers, but are trusted with banks to allow access to our accounts and share trading apps.
The message has been said many times, but it has completely been overwhelmed in our rush to take up convenient, cool new technology – you can change your password, but what happens if someone steals your fingerprint?
A good chunk of the estimated 30 billion Internet of Things devices we’ll be using by 2020 will be storing and using your image, location and preferences. You better hope the makers of those devices know how to keep that data properly encrypted as it spends much of its life pinging between you, their HQ, their third-party partners and the cloud.
But it doesn’t matter how much money or technology they pour in, it’s all still only as strong as humans let it be.
“You cannot change your biometrics, absolutely,” Sharma says.
“There are two things. If you were doing that, I’d be very selective about where such biometrics are disclosed and really understand why you’re disclosing it and whether you are comfortable with the security measures that the organisation to who you’re disclosing your biometrics are adequate.
“Second, to know that when your biometrics are being transferred to whomever you’re sharing them, that they’re properly protected by encrypting that data.”
‘You cannot change your biometrics’
How do you know a company is using a good encryption system? Sharma says it’s difficult, and that enterprises need to do a better job of explaining to customers what sort of protecting they are affording their customers’ data.
“But we are starting to see some companies providing details if customers ask for it,” he says.
Vikram says their study shows users certainly like to know their data is protected. And the awareness is much more pronounced in the US where the data breaches have affected billions of users of popular apps and websites.
Most people, he says, have now either been directly affected or at least know someone who has been affected by a data breach, and the “general trend” compared to three years ago was showing people were certainly more circumspect about who they were now sharing their personal data with, and how much of it they were willing to share.
Although when it comes to our money, we’re much more alert. One particular US study showed most people who had a data breach occur at their financial institution would immediately switch to another financial institution.
That sentiment, he says, is now “starting to percolate slowly” through to other organisations people share their data with.
How to protect your customers
Sharma says most enterprises can do some basic things that afford a lot of protection. For starters, the Australian Signals Directorate website has its Essential Eight checklist for businesses.
“These are fairly straightforward things which most enterprises with a basic level of IT skills should be able to implement fairly easily and improve their data security considerably,” he says.
But the critical thing, he says, is for enterprises to realise there is a human element to be considered.
“The problem, the risk, for enterprises arises from things other than the technology itself,” he says.
As quantum computing evolves and scales up to a widely accessible and affordable level, hopefully, life is going to become exponentially more difficult for cyber criminals.
But until then, much of the onus for protecting our data is on ourselves.
And just in case some employees have watched too many Bond movies, QuintessenceLabs has taken steps against the chance of a disgruntled employee staying after hours to make a cool billion dollars on the side.
“Well, you know the same things which we recommend to our customers we aim to employ ourselves,” Sharma says. “Those that protect our data well, to manage those keys carefully… also, because of the nature of our technology, there are very many elements to it.
“So there is no one person, or even a small group, that has this ability across the suite of elements or all the pieces of the jigsaw, so to speak.
“Even myself. In fact, probably least of all myself!”