'Unbreakable' security that wasn't: True tales of tech hubris

If you think your system is invulnerable, you're fooling yourself, not your opponents.

01 bramah lock
The $30,000 lock

Eighteenth century British engineer Joseph Bramah invented a lock that, he was sure, could never be picked. He was so sure that he offered 200 guineas (roughly $30,000 today) to anyone who could defeat it. Cris Thomas, a 21st-century strategist at Tenable Network Security, calls this one of the first bug bounties in history. The lock remained seemingly impregnable for more than 67 years, until an American locksmith named Alfred Charles Hobbs defeated it in 1851, prompting a contemporary observer to remark that "the mechanical spirit, however, is never at rest, and if it is lulled into a false state of listlessness in one branch of industry, and in one part of the world, elsewhere it springs up suddenly to admonish and reproach us with our supineness."

Too often, the spirit of modern-day IT security can be lulled into a false state of listlessness, or at least overconfidence. Too many products and networks have been treated by the creators or minders as impregnable -- with embarrassing or devastating consequences when someone comes along and figures out how to pick the lock.

02 quantum processor
Cutting edge and already hacked

The lure of a technical breakthrough that would create a foolproof, unbreakable security system is the dream of many organizations that need to keep their data safe. But such systems invariably fail to live up to their hype, and as technological know-how advances faster and faster, most don't survive anywhere close to the 67 years that Bramah's lock did. Take the buzz around quantum entanglement, one of the stranger aspects of quantum mechanics, which Toshiba is attempting to turn into a commercially viable encryption system. While the process is theoretically interesting, researchers have already shown that there are weaknesses in the hardware that generates the subatomic particles at the heart of the system, negating the theoretical invulnerability.

Java's broken sandbox
Credit: Peter Sayer
Java's broken sandbox

Loud boasts of invincibility have in fact always fallen by the wayside in the security business. Chenxi Wang, Chief Strategy Officer at container security firm Twistlock, recalls that when Java was launched in the mid 1990s, Sun touted Java applets as completely safe, since they ran entirely within a sandboxed environment. But Java was rolled out with an incredibly high profile -- and, she says, that high profile draws attention and people determined to prove those extravagant security claims wrong. Within a year, researchers at Princeton had found ways to pass through the sandbox, alter the local filesystem, and execute native code; soon applets could do everything from forge emails to annoy you with a very noise simulated bear.

04 iphone
Credit: Kenny Loui
The total package, quickly jailbroken

Wang also holds the iPhone up as an example of a device that was billed as unbreakable upon release. "It's well established that Apple controls its entire stack," she says, "everything from the hardware to the firmware to the software. From its inception, it was touted as a device with the highest level of security and minimal attack surface." And yet, not even two months after its release, 17-year-old George Hotz (aka geohot) managed to hack the first-generation iPhone using software smarts, a soldering iron, and a guitar pick. He hit the Apple and its exclusive launch partner AT&T right in the wallet, since his goal was to be able to use the phone without breaking his T-Mobile contract.

05 apple messages
Credit: Apple
Pardon us if we don't take your word for it

In 2013, Apple touted its iMessage service (since renamed just plain Messages) as being unbreakable, and even invulnerable in the face of spying from the NSA. While there hasn't been a public breach of the service that would prove them wrong, security researchers quite quickly revealed that Apple's assurances were essentially worthless -- "just basically lies," said security researcher Cyril Cattiaux. The security of Messages depends on Apple's secretive management of public keys -- a process that could be compromised in the face of a government warrant. The episode demonstrates how much secrecy about the security process can undermine claims of invincibility, since those claims can never be truly tested.

06 enigma machine
Thank goodness for sloppy Germans

People have been lulled into complacency by the strongest aspects of their system security and ignoring the weak points for decades, says Nick Buchholz, threat analyst at Damballa, a security company focused on advanced cyber threats. Take Enigma, the famous machine-generated code used by the Nazis to encrypt communication during World War II. The Enigma encryption scheme was (and, in fact, still is) unbreakable -- but only when implemented correctly. And that, says Buchholz, is the rub. "Lapses in German operator practices (reusing keys and taking shortcuts in generating keys), mishandling of sensitive materials (the Polish capture of Enigma training manuals and machines), and logistical errors (retransmitting the same message encrypted using different keys) created weaknesses in the cipher," he explains. "The Allies exploited these factors to intelligently attack the Axis communications, eventually allowing them to decrypt intercepted transmissions."

07 security guard
Credit: boyhands
Ineffective, but polite, security

In general, people are some of the weakest points of any system. Today, Mark Gazit is CEO of ThetaRay, a leading provider of big data analytics solutions, but in the '90s, he worked as a penetration tester, and a large bank offered a large bonus if he and his team could break into a system that was believed to be unhackable. "We tried to hack it from the outside, but could not," he said. "However, we learned that on the bank's premises, there was a raised access floor under the computer room, under which lay computer cables and a way to sneak in from beneath." Did this call for some Mission: Impossible-style derring-do? Well, not exactly. "I had one of my guys tell the guard that somebody was looking for him. He didn't just leave his post; he gave us the keys to the computer room, telling us, 'If anybody needs to enter, just make sure they sign in.'"

A system isn't unhackable unless all its components are unhackable -- even the components that walk on two legs.

ashley madison
Cheating your way around encryption

The Ashley Madison hack offered a lot of lessons for everybody. "Don't give your personal data to obviously sketchy websites" was the obvious one, but there were practical security takeaways as well. "The password hashes in the Ashley Madison leaks, encrypted with bcrypt, were thought to be too computationally intensive to brute force individually," says Damballa's Buchholz. But user tokens were encrypted with MD5, a much faster hashing algorithm; this could be attacked and "quickly yield a user's password in all lower case, which drastically reduced the keyspace for attacking the bcrypt password hashes." Attacking this weak point revealed 11 million passwords within two months of the breach.

09 starbucks
Credit: leesamlong
Dangerous surfing at Starbucks

Nathan Cooprider is senior software engineer at Threat Stack, and Sam Bisbee is CTO, and they brought up the Tor as a great example of a technology long believed to be impregnable that's now been compromised in various ways, all of which reveal the ways a single vulnerability can negate many layers of strength. As Cooprider put it, "It's easy to prove the math around encryption," to show that in a theoretical setting Tor creates perfect anonymity and security. But no system is used perfectly. What if, for instance, you always log on from a certain coffee shop, where you pay by credit card? Your activities could become public even if the content of your communication itself remains secret.

red siren warning alert emergency
Credit: Shutterstock
Perfection is not what we're after

The danger with mathematically perfect encryption or theoretically invulnerable software is that the user tends to extrapolate to the entire system and gain a false sense of security. Cooprider and Bisbee are hopeful that there's a "tonal shift" underway in the IT world against the false hopes of an invulnerable system. As Bisbee put it, "detection is the new prevention." If the goal previously was to build an unhackable system, the new goal is a system that can tell us when it's been breached, and tell us quickly. No system can be 100% safe, but a system protected by a defense-in-depth philosophy can recover more quickly in the real world of real threats.