Encryption 101: 4 Useful Concepts You Need to Know
Another one of those cybersecurity concepts that is talked about a lot but difficult to fully understand is Encryption. By understanding a few basic concepts, you can make sense of it all.
- Resilience Cybersecurity & Data Privacy
- Best Small Business VPN Services – Resilience Cybersecurity & Data Privacy
- The Best Cloud Backup Services for Personal Data and Devices – Resilience Cybersecurity & Data Privacy
- The Best Password Managers for Individual and Family Use – Resilience Cybersecurity & Data Privacy
- Introduction to Cryptography Basic Principles – The Geek Stuff
- Symmetric Key Encryption – why, where and how it’s used in banking – CRYPTOMAThIC
- What is asymmetric encryption? – Cloudflare
- Symmetric vs. Asymmetric Encryption – What are differences? – SSL2BUY
- Hashing vs. encryption: what’s the difference? – NordVPN
- Hashing vs Encryption – What’s the Fundamental Difference Between the Two? – AboutSSL
- Advanced Encryption Standard (AES) – TechTarget Security Blog
Brian: Hey, welcome to the Fearless Paranoia podcast. Thank you for joining us today we are here demystifying the complex and disturbingly dense world of cybersecurity. I’m Brian, the cybersecurity attorney, he is writing the cybersecurity architect. And today we are going to talk about a particularly dense and particularly complex component of cybersecurity something that I think everyone is familiar with in theory or in overall practice. But what very few people seem fluent with is how it actually works. And what we’re talking about today is encryption. Now this is a subject that I find particularly interesting one because it’s, you know, so incredibly math based and to because thank merciful God, I have someone who is much better at math than I am to help me work through all this crazy, crazy stuff. And that person is quite helpfully, my co-host on this podcast. Ryan, how are you doing today?
Ryan: I’m doing great. It’s a really interesting topic that we’re about to dig into today. So I think we get right in.
Brian: Alright, so I think everybody understands that encryption is something that is used pretty much all the time. Now you see encryption or cryptography. I mean, the word is a part of the cryptocurrency that, you know, the crazy psychotic, self-destructive tool that many people in the tech industry have attached themselves to. But encryption itself is an incredibly important way of keeping things protected and secret. So, when we’re talking about encryption, we’re not going to get into the heavy, heavy details of how all this stuff gets encrypted. And what it really gets changed to whatever like that. But largely encryption, by its very nature has a basic structure, right? Help us out with that.
Ryan: Yeah, so encryption at the core is modifying your data to a position where it can’t be read until you’re ready to have it read again. And so in order to do that, you really got to break it down into three distinct pieces that make up the chain of encryption. And that’s going to be the data to start with, you know, the data that’s plain text readable at the moment that it begins, you’ve got the engine, which is the encryption, the algorithm set that’s used to actually process the data and transform it to its unreadable form. And then you end up with the key, which is the access tool to go in and out of the data. And those pieces can vary a little based on the type of encryption, but that’s really kind of the general core behind the concepts of encryption, you use the key to start the encryption process and to do the decryption of the data, you use the engine to actually transform the data itself by processing the key and running it against its algorithms. And then you’ve got the data itself, which is the piece being transformed in and out.
Brian: Sounds to me like what we’re talking about, it’s kind of if you imagine a scanner, a very regular document scanner, you send paper through what’s on the paper would be the data, the engine itself would be the scanner, and then the key would be the button that determines the scanner on now, I mean, obviously, it’s not a perfect metaphor, but if you imagine it that way, and then the paper goes through the scanner, and then what comes out on the other end is unreadable, then you put it back through with the same key, and it’s readable again because basically, that’s the system, you’ve got the thing that you use to essentially trigger it, or that is what makes it work the key, you’ve got the information that it’s being changed, but the heart of it is that engine.
Ryan: That’s correct. And you actually had a really good breakdown right there of symmetric encryption, where you said, you know, use the key to run that or to process that one way if and in the reverse, which is slightly different from when you get into the asymmetric encryption, then where you’ve got a pair of keys, so you can actually set up that transaction to be distinct between two different people that have two different sets. In a lot of cases, it’s really used for kind of one-way secure communications, somebody can maintain their private key and post out a public key, which you just hand out to the world. So, anyone that wants to get it can use it to encrypt a message, send it one way under you, and you’re the only person that knows how to retrieve that message and deal with that.
Brian: Okay, let’s talk about that. Because you mentioned a couple of different things there. You talked about both the concept of asymmetric and symmetric encryption. And it’s also referred to secret key and public key encryption. What is the difference between symmetric encryption and asymmetric encryption?
Ryan: There’s a couple of major differences. At the core, the most major would be speed and efficiency, symmetric encryption, just due to the fact that there’s a single key used, and there’s a lot less time involved in processing that encryption so much quicker. Again, symmetric encryption is usually handled when you’ve got a single user a single component involved in the data transaction. So, you only really need the one key to lock and unlock the data because you’ve got one master that’s effectively delegating access to it. Or if you’ve got one pair of people that are just using that one single key as a tool to facilitate communication or file transfer, data transfer, etc. I’d want to do it securely. So like you and I, we could use symmetric encryption, because we just both have a copy of that one key. So it’s two copies, same key, we use that to pass the data back and forth. As long as those keys aren’t compromised, you and I can securely pass data.
Brian: It sounds to me ,that in that particular context, that speed and possibly even complexity of that key could be a huge advantage. But it becomes almost such an inverse relationship between the number of people who have access to the key and the actual security of that encryption process.
Ryan: Yeah, and it comes down to use cases. too. So symmetric encryption would be really good for something like point-to-point you to me. But it’s not easily scalable. Let’s say that I’m the only one ever receiving data, you’re just sending stuff to me. So, we both have that same key. But now if I want to build that kind of relationship with 100 other people at scale, now I have to produce 100 Full pairs of those keys. And now I have to maintain half of 100 key pairs, where each of you guys have the other half in a style of like asymmetric encryption, I hold the one private key, which allows me to decrypt everything and then I just publicly share the other half of the key and just say, it doesn’t matter if anyone has that, because they’re not using that to really handle any decryption on their end, what they’re using that for is to lock the box effectively before they ship it to me, and then I’m the only one that can unlock it. So, for instances like that, where if I’m the only intended recipient of something that makes a lot more sense, because then I can really go at scale a lot more easily and be able to manage that where I still only have to manage the one key and then I manage the one public key that everybody else has.
Brian: You start talking about the public key, that’s our asymmetric encryption. So, symmetric encryption has essentially one key that both encrypts and decrypts. What is different about the public key encryption, how does the public key come into it?
Ryan: Again, with something like asymmetric encryption, you’ve got more points of potential compromise for your encryption, because all points of the transaction have to have access to that same key, which means if any one of those points becomes compromised, you end up running into an issue where you end up having to cycle keys and start the process over risk your data being potentially compromised. With something like the public private keys, you’ve got only a single point really, that you need to worry about as far as compromise as far as being able to decrypt those transactions. So that makes that a little bit easier to secure from a point of doing more public file transfer.
Brian: With symmetric encryption, what we’re talking about is literally everyone needs the same key to encrypt the same key to decrypt. With asymmetric, what you’re talking about is that everyone gets a copy of that public key, and then every individual has their own essential private key. Is that right?
Ryan: That would be correct. Yep. So, the way that you would do those communications, if we wanted to do that two ways, we would each have a private key that we would maintain, and we would each publish a public key. So, I would go and grab your public key to encrypt something I want to send to you use your public key that way I encrypt it, I can never decrypt it again. But nobody else can except for you because you have the only key that’s able to decrypt that likewise, to return the transaction, you would come in, retrieve my public key, encrypt the file, send it to me, and then I’m the only one that’s able to reverse the transaction.
Brian: You’re listening to the Fearless Paranoia podcast. For more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms. Also, please share this podcast with anyone you think would find it helpful or useful. We rely on listeners like you to help get the word out about this show, and we appreciate the support. Now, time for some more cybersecurity…
Brian: There’s one other topic is more like a third function. You keep hearing all the time, every time someone gets breached, or something like that. You hear about hash values and hash flux or something like that. How does that play into encryption?
Ryan: So, hashing and encryption are really two different things, they kind of they get blurred a lot in the middle, because encryption at its core is modifying the data itself so that it becomes unreadable and then returned to a readable status. What hashing is hashing is more for validating change control of the data to make sure that the data holds its integrity, and that the data is not modified. So you can use stuff like back in the day MD five was a huge thing, people would use MD five to validate that a file, if you were downloading source code from a repository, somebody could upload a copy of their new code, they would upload it with a hash, so that if anyone goes in and modifies that code, you could run it through MD five. And if the hash has come up the same the codes the same as it was when it was uploaded by the original person, there’s integrity, if there’s a different hash that comes out, that means there’s been some sort of modification to that code. So, it’s really used to kind of do validation more than anything else. When you hear about things like passwords being stored as hashes, that’s not really like an encrypted version of their password, there is an algorithm that’s used to generate the hash from those passwords. And then the hashes are stored in lieu of the password. So that way, you’re not actually storing passwords in those systems, you’re storing a hash that’s been generated by the system to process those passwords. So, it has a way to take and validate those inputs when they come in later.
Brian: It’s like a version of encryption without being traditional encryption.
Ryan: It’s a version of the encryption, but you’re not the output you’re dealing with isn’t the actual data in its original form, what you’re dealing with is a result of processing that data against something else. And the hash is just basically saying like, so we generate a random number, let’s say two, and we take whatever data we’ve gotten, we multiply everything by two, and that becomes our hash. So, when somebody gives me a piece of data later and says, Hey, is this the same data from before I take it and I multiply it by two and I look at the original hash, and if they compare, I go Yeah, that’s the same data now. That’s a super simplified… like don’t that’s not proper, but…
Brian: Right. But the important thing, there’s but to say that if you were breached, and someone got that information from you, and they got what you store, if let’s say that’s the passwords, let’s use that example. If you store all the passwords as the actual password times two if someone got that information they couldn’t then turn around and then use that plug that in access your account because it would be wrong.
Ryan: Well, if the hash was that simple, then they could, but of course, they could break it down by proper hashing, yes, there should be no easy way to reverse a hash back to its original form, because you can’t reverse the algorithm without having access to the original engine.
Brian: And okay, so basically, it’s something that stores your entered value as a different value, so that in the event that someone else, maliciously got ahold of it, they couldn’t simply use that value to access your account, they would have to understand how that value was determined.
Ryan: That’s mostly correct. And in some instances, they did find ways there are people that have found ways to use that there are past the hash issues or methods out there to access accounts by being able to derive those hashes and pass those along and actually complete authentication with those. And there’s a lot of hardening techniques that you can use to really prevent a lot of that from happening. A lot of that was just kind of oversights over the course of years, as the maturity of cybersecurity was built into systems.
Brian: We’re going to talk about some more specific things in subsequent episodes. And one of the biggest things we’re going to talk about is how encryption and the way encryption is handled now is going to be impacted by the eventual development of quantum computing. But before we get there, let’s talk about a couple of basic things. First, what are some good examples that people in the regular world would see when you think of symmetric encryption or private key or secret key encryption? What are some examples of how that is used in the regular world?
Ryan: A lot of the examples that people probably recognize right up front are going to be the way a lot of internal encrypted email exchanges are because those are all symmetric. And it’s all handled internally with the company using usually private PKI. Other symmetric encryption would be things like connections to routers, people see a lot of those connections between your devices.
Brian: So like when you see I think that probably the most common place I see this is when you see AES encryption on a router. When you’re setting up like setting up home wireless and things like that. And that’s because essentially, between your router and the devices that are connecting to it, you only need in fact, you probably only want one key.
Ryan: Yeah, there’s some level of trust that’s kind of assumed there at that point that the owner of the device that’s processing that connections and the owner of the devices that are going to connect to it are all known trusted and are okay to share that same key and you’re not offering it up as more of like a public service.
Brian: You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at email@example.com or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.
Brian: What would be examples then of asymmetric encryption that people would encounter in the real world?
Ryan: I know that there’s a lot when people are doing especially like in our industry, when people are doing a lot of data transmissions that need to stay secure. So things like journalists in rough areas trying to pass information back over, we’ll do things like this where they’ll go through public-private key shares so that they can exchange data with a lot of people en masse.
Brian: Like any communication system that uses encryption, then pretty much that’s at least a commercial system, right?
Ryan: I think I got to have a majority of those will end up employing some sort of asymmetric encryption.
Brian: I guess, like the people looking at this on a website don’t harp on us too much yet, we haven’t gotten our SSL certificate issue straightened out. But if you’re using SSL, that’s an asymmetric encryption.
Ryan: That is correct. The majority of the encryption that most people are going to encounter on a day-to-day basis is going to be the asymmetric kind. I think most of the encryption that people encounter, where they’re actually interacting with it on a regular basis will end up tending to probably be a little bit more heavily in the ballpark of asymmetric where the encryption is handled specifically by systems kind of as a function behind the scenes and the users aren’t directly interacting with it. And a lot of those instances, you tend to see more symmetric, and again, that’s just kind of a broad assumption, categorizing things.
Brian: One other area that I really want to help people get a basic understanding of is you see a lot of letters when you deal with encryption. But you also see a lot of numbers. Now I know that the numbers are different between symmetric key and asymmetric keys. But you see, like, for example, we’ll go back to the routers, the great example is they all seem to want to advertise whether they use RSA 128 or RSA 256. What is the number you know, 256 bit encryption? What does that mean?
Ryan: Yeah, so the number of bits without getting too overly technical is the level of complexity of the algorithm that is being run against the data to encrypt it again, something like if you do a really basic times to like we’re talking about for the hashes. That’s a very simple algorithm to run something against which means it’s Very simple to reverse that encryption. So going to larger bits sets in your algorithms adds more complexity to the equation, it makes the outputs a lot larger, which just computationally becomes much more difficult to reverse through like brute force. And through more manual methods, which really forces you into having to access the key in order to be able to decrypt the data, there’s no way to just run cycles against the data to reverse it. Like you can’t know some of the weaker encryption methods.
Brian. Basically, the higher number means the more complex. I’ve heard some people refer to it very basically as the length of the key, which is not really an exact description, right?
Ryan: It’s not really, I think it’s just said that way, because it’s the easiest to just take it, it is a pretty complex topic. I guess, if we’re looking for an easy way to understand it, you know, if we were to describe it, the length of the key 128 is going to be less complex than 256.
Correct. 256 will be more complex, it’s going to generate a more complex output. And at the same time, that also means it’s going to require more resources to process that transaction back and forth through encryption. So again, what 128 If it’s efficient for your needs will be faster than 256. So, if speed ever becomes an issue, that’s the one point where you have to start looking for some of those compromises with encryption. But 256 in and of itself should end up being more secure. If it’s employed properly.
Brian: Well, there’s a lot to dive into with basic encryption. And one of the next topics that we’re going to address on this is a broader understanding of something that’s in the news a lot lately and called end-to-end encryption. But that involves a bit deeper discussion than we have time to get into today. We will be addressing it though. So do come back for that episode. If there’s any specific questions you have on encryption, or things that you’d like us to deal with more directly, we strongly encourage you to go to our website, www.fearlessparanoia.com. And you can either leave us a comment there or reach out to us on any of the social media sites that haven’t currently banned us for no reason whatsoever, which at the moment includes Facebook and LinkedIn. You can go ahead and accept the notable omission there for whatever value you want to take out of it. We want to thank you for joining us today on Fearless Paranoia.
Ryan: I am Ryan and he is Brian, and we appreciate you guys listening in and look forward to more conversations about cybersecurity topics in the future.
Ryan: And I’m Ryan, cybersecurity specialist.
Brian: This is season one, episode one, the inaugural episode: Ransomware 101. Today we are talking ransomware at a very basic level. In this episode we’re gonna discuss the essential principles of ransomware. What is it, at its core? We’ll discuss the general concept of what ransomware is, why it is so disruptive, and why it’s so effective. Just remember, this episode is not meant to be a deep dive into all the individual aspects of ransomware. This is a general survey of the subject to make sure that you’re familiar with ransomware in general. We will be bringing the deeper dive into various aspects of ransomware in later episodes. This, however, is ransomware 101.
But before we get there, we want to remind everybody that you can check out our other episodes on Fearless Paranoia.com. You can also subscribe to our podcast through any of your favorite podcast subscription services. For additional information on how you can keep you your business, your family and anyone else safe from cyberattacks, please visit our website at www.resiliencecybersecurity.com to get tips, hints and suggestions and plans and procedures and everything you could possibly imagine to help protect yourself from cyberattacks.
It’s a Saturday night and for reasons passing understanding I’m working it’s 8:30pm. I open my laptop, and knowing that I’ve got some work to do, I open up my Dropbox connection where I put some documents in the day before at work. As I opened the box, something catches my eye. But not enough for me to think too much about it. The files that were there, they’re all their regular files, but they’re not quite the same. And I as glancing through, I can’t really figure out what’s different. I also noticed that the icons don’t seem to be loading properly. But that could just be my computer being my computer. I double click on a Word file that contains something I was working on. That’s when it’s confirmed that something’s wrong. Instead of one box opening two boxes open right off the bat, not a good sign. The first box opens up and it’s a bunch of gibberish, symbols, letters, any kind of order. And I’m really puzzled for a second. But then I see behind that document, the corner of the second document is open. That one doesn’t have symbols that one doesn’t have jumbled, jumbled language. It has text in bright colored font, they have my data locked up. And I can contact them at this email address to arrange to make a payment to unlock it. I’ve been hit by ransomware.
The story I’ve just told you actually happened. Fortunately, it was from back in the days when before ransomware became quite as insidious as it is now and we were able to resolve it with limited business interruption issues and other costs. In fact, the costs of reclaiming our system, clearing it up and everything, actually ended up being less than our insurance deductible. That’s something that doesn’t really happen anymore.
So what is ransomware? I think most people who follow the news or anything, read anything about computers, anything about business, anything about security these days, knows or has an idea of what ransomware is. But getting an understanding full technical definition requires expertise that exceeds most people and requires time that most people don’t have. Fortunately, we’ve got them both. And Ryan, the cybersecurity and IT specialist. So Ryan, walk us through what is ransomware?
Ryan: That’s a fantastic question, Brian. I’m protecting against the defending against ransomware really starts from the core of just understanding what it is and how it works. And so what is ransomware? It’s software. This is a piece of code that somebody’s written, that encrypts data enacting very, very standard, very widely used encryption tools that are being used with custom algorithms, and makes it unusable to anybody other than the generator of that software to create a ransom-able environment or ransom-able situation where they can hold data of yours hostage and offer it back to you for what they consider to be a very reasonable cost. It’s no different than old fashioned kidnapping or theft for ransom or anything to that effect. The main difference here is these are things that are not happening in your front yard. These are things that are happening from people halfway around the globe, over the internet, you know, a tool that we all use every single day.
Brian: So the concept it means it’s taking something hostage, and it’s the idea and I think, I mean, it’s been around forever, but the idea that something is worth more to you to get back than it may be worth on the open market. The idea of, even if your computer systems were full of personal information that might be sold on the dark web, that data is not that expensive on the dark web, but you were willing to pay a lot more to make sure it comes back or to use it yourself, then it then has actual intrinsic value.
Ryan: Yeah, that’s great. You actually touched on a couple of really important points there, too. The first one is that the data is important to the generator, the owner of the data, and life is just not as easy to continue on with without having it back. Whether that’s a detriment to your business, this is core critical data that you don’t have backed up somewhere else. It’s data that is not recoverable easily. And so it’s, it’s got a certain level of value attached to it. Some of that data has just value purely to its owner. Some of that data is very valuable to a whole variety of people based on the nature of it. So not only do you have a situation where as your data gets into a situation where it’s been encrypted by ransomware, and it’s being held hostage, that data, again could just be valuable to you enough for you to offer a payment back to these criminals to get access back to your data. It could also be valuable to them from an extortion standpoint of what happens if we dump this data, are you going to be willing to pay us a little extra not just to get access back to it, but to keep us from publicizing the state out on the internet so that everybody else can have a copy of it too. And that’s been that’s been something much more prevalent and the ransom attacks popping up in the in recent times is that there’s almost a two-stage piece behind that ransomware attack where they attempt to profit twice from it. And again, it’s good from a business standpoint, but it’s, it’s terrible for the rest of us that are on the receiving end of those types of malicious attacks.
Brian: You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.
Brian: Yeah, I’ve been amazed recently how it does seem like ransomware while certainly was you know, when this stuff first became popular it was an effective term; extortionware almost seems like it’s the better term for the modern version, because ransomware evokes the concept of “we’re holding this until you pay us to get it back”; extortionware it is a much. I mean, and that is a a version of extortion. You know, kidnap and Ransom situation is one type of extortion, we are going to illegally get money from you, based on you either doing something or not doing something. We’re going to leverage you to pay by taking something valuable of yours and returning it back. But the whole concept of extortion, there is this idea that you can be compelled to do something not just based on the proposition of getting something back, but on a whole variety of levers. And I think, and we’ll talk about I definitely want to talk about this in greater detail, in a later episode, this concept you touched on as the what I’ve been seeing referred to as double and triple extortion, where the people doing the extortion actually leverage different ways of getting you to pay, one of which is not even approaching you with the ransom, but approaching your customers and letting your customers know that, you know, they have your data. And there’s the actual data about the customers. And I think one of the more famous examples of that recently was, I think, a Scandinavia, essentially a large psychiatric organization where they took people’s patient notes and contacted the patients that said, if you’re, you know, if your psychiatric doc doesn’t pay up this ransom, we’re releasing your psychiatric notes.
Ryan: Yeah, it’s definitely taken a few different iterations. And it continues to find ways to become not just more effective, the malware families and especially the ransomware itself, but just the entire method of distributing it and how they’re utilizing it to draw maximum income capabilities out of the whole process has really kind of gone through, again, a whole series of evolutions, and I don’t see any of that stopping. A lot of it follows very standard criminal methodologies of just finding, you know, low hanging fruit, easy opportunities. And a lot of these ransomware attacks really kind of focus on, you know, those easily exploitable people. So again, folks like ones with medical issues where something is, you know, that’s really personal information, or going into a business and stealing source code from a software developer. That’s your bread and butter. Those are your trade secrets. That could be something as simple as a customer database where maybe it’s not critical to your business, but it’s certainly going to be critical to everybody who does business with you, which can turn into, you know, a major business impact later on if that data were to get out. And so it’s a constantly changing field. And it’s one that’s one that’s just going to keep getting more and more devious, which is why it’s more important than ever now that we put in to effect at the personal professional levels everywhere we can basic internet hygiene practices to stay safe from some of these because a lot of these attacks are taking advantage of and exploiting overlooked updates, overlooked resources, very well known exploitable holes that could be, they can be closed pretty easily with basic hygiene practices, basic updating and patching. And there’s a lot of just general hygiene practices that can really prevent, I’d say, I’d say a good majority I’d even go so far as to guess probably 90% of a lot of these are really avoidable incidents.
Brian: You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at firstname.lastname@example.org or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.
Brian: Let me ask you real quick cuz I think that, you know, a lot of people who watch you know, any TV program that deals with computer issues, and usually deals with very poorly among most people, I think is this idea that encryption can somehow be cracked. I think in reality, cracking encryption really means having the password, having the key that unlocks the whole thing. And we’re definitely going to have an entire episode on just helping people understand the basics of what encryption is and how it actually works. But when we’re talking about encryption, you’re not cracking any of this stuff, unless you know the code, right?
Ryan: So yes and no. in some instances, some of the less mature ransomware gangs have used very weak ciphers and some of their ransomware code that they’ve done, they’re developed and in some of those cases, and it’s been relatively trivial for some expert researchers to reverse engineer what was used. And so yes, some encryption, and in theory, all encryption really can be cracked, as long as you have enough time and enough resources to do all of the testing and all of the brute forcing. And part of the biggest problem is a lot of these lot of these encryption ciphers nowadays, even with extremely powerful supercomputers or distributed computing, or even if you were to find a way to wrangle the power of like an extremely sophisticated botnet, something where you’ve got a lot of computing resources to crack away at this, and we’re still talking years, decades, potentially centuries, in some cases, to crack some of these with current technology. So again, are they crackable? Yes, is the likelihood that they’re going to be cracked with any sort of, you know, in any sort of short timeframe or with any ease, it’s pretty, pretty safe to say no, in most of those cases, theoretically…
Brian: it’s uncrackable. Practically speaking.
Ryan: In most cases, where the ransomware tools do get reverse engineered and do get cracked, a lot of times, it’s either because they’re using an extremely old piece of tooling in the ransomware. Or it’s because the ransomware gang itself has had some of their code repository or places where they’re holding some of those secrets, some of those passphrases keys actually gets compromised. And what they’re doing to other people actually happens back to them as their source code, their internal tools are taken by security researchers and then distributed on the internet, saying, Hey, here’s a tool to help you decrypt all of these things, because we broke into their infrastructure, you start to get into some interesting legal issues from that side, too. But again, it does happen from time to time that some of these things do get reverse engineered or do get broken, but it’s not something that one would ever want to count upon. The better approach is to certainly put plans in place to protect yourself from it. And to make sure that in the case that it does happen, you’re not counting on either having to pay a ransom or find a key to get back into it, that you’ve got a secondary plan in place to make sure that you can continue enforcing business continuity around the issue instead.
Brian: So what is ransomware then fit in in the overall concept or context of a business getting hacked?
Ryan: So the ransomware again, ransomware very rarely ever, the first stage of compromise ransomware is usually one of the end stages of compromise. That’s kind of the end goal is to apply the ransomware apply the ransom and collect and then finish whatever the business relationship is there, if you can call it a…
Brian: Business relationship gets business conducted at the end of this meeting, the your signature, or your brains will be on this contract. Yeah.
Ryan: And effectively, I mean, it is it is business. I mean, it’s a billion-dollar industry, you know, so rants Software is a huge business nowadays. It’s a legitimate business and most of our minds, but it is what it is.
Brian: And so it’s this combination of really strong encryption and these ransomware groups knowledge of where to look for critical information, and most importantly, what constitutes critical information for businesses, health care, so facilities, even individuals that makes ransomware so disruptive to our modern economy system way of doing things. Absolutely. Well, in a nutshell, there it is. Ransomware 101. Want to thank you for joining us today. Look forward to seeing you again in the future. Don’t forget to subscribe to our podcast, you can do so through your favorite subscription service or on our website. Also, if you have a specific cybersecurity topic you’d like to hear Ryan and I address in our podcast, you can go ahead and send us a message on the Fearless Paranoia website at Fearless paranoia.com We hope to see you again next time. This is Brian and Ryan Fearless Paranoia signing off.
to make cybersecurity understandable, digestable, and guide you through being able to understand what you and your business need to focus on in order to get the most benefit for your cybersecurity spend.
©2022 Fearless Paranoia