A recently uncovered crypto key flaw is a perfect example of why businesses shouldn’t rely on encryption and other digital protections alone when it comes to data security.
Estonia is well-known for its widespread and enthusiastic use of technology. This Northern European country is one of the most well-connected countries in the world, with Internet access available in just about every corner of the nation. Technology and technology skills are a big part of Estonia’s education system, and they’ve integrated computers and connectivity into the fabric of their everyday lives.
In 2005, Estonia instated online voting for its citizens. Each citizen is issued unique pins and logins for government services that include not just voting, but filing taxes and encrypting sensitive documents to keep private information private – until very recently, this seemed like a perfect system.
Researchers have uncovered what has been deemed a critical flaw that has the potential to compromise anywhere from millions to hundreds of millions of encryption keys that protect data and services like the ones mentioned above. This especially concerning for Estonia’s voting system, as it makes voter fraud a grave concern for the first time in the history of their online system.
This uncovered flaw allows hackers to figure out the private portion of a vulnerable encryption key using the public portion of said key. With a completed key now in their possession, a hacker can easily impersonate the key’s owner to do any number of things, like work around the protections in place to keep stolen computers from being accessed or tampered with, sneak malicious code into software, or decrypt sensitive data of all types. And this issue isn’t just impacting Estonia.
While the country has suspended 760,000 national ID cards as a result of this flaw being made known, any organization that uses encryption keys known to be vulnerable to ROCA (named for the Return of the Coppersmith Attack the factorization method is based on) also needs to be concerned about this flaw. As of right now, most of these organizations are downplaying the risks this weakness poses.
To give you an idea of the scope of this encryption issues, Gemalto, a Netherlands-based smartcard maker, is one of those organizations. Gemalto’s IDPrime.NET card has been on the market for more than a decade and is used as a way to provide two-factor authentication to employees of Microsoft and other companies. They’ve acknowledged that the cards “may be affected,” but have otherwise been tight-lipped about the situation.
Relying On Encryption Alone To Protect Your Data Is A Risky Move
This encryption vulnerability and its potential consequences serve as a great example of why layered and monitored protection is the only way to protect your businesses against a data breach effectively. Encryption may be a powerful security tool, but no technology is completely foolproof.
Businesses that take a hands-off approach to cybersecurity open themselves up to a long list of vulnerabilities and risks that could otherwise be dealt with before they create problems. There are many innovative and advanced cybersecurity measures available for businesses and their IT partners to use in order to build a strong end-to-end security system, but just having those measures in place is not enough. You need to play an active role in your business’ cybersecurity.
The human element is often overlooked on both sides of the cybercrime issue. Computers aren’t targeting your business; people with computers are. People can be unpredictable at times, and approach obstacles like your security system in ways technology alone can’t. The same goes for your business. Your employees need to be aware of not just the cybersecurity measures your business has in place, but the threats that they can expect to encounter.
While solutions like and firewalls can stop a large portion of the cyber threats that are leveled at your business, but trusting in that technology alone leaves a gap in your defenses. As mentioned earlier, the hackers currently exploiting the uncovered crypto key flaw are relying on access to public information to kick-start their plans. When needed information isn’t readily available, however, hackers need to get creative in order to get their hands on it.
Social engineering isn’t just a specific type of cyber attack; it’s also a tool many hackers use to fuel other types of attacks. And since this tactic targets, your employees and not your technology, data encryption and other cyber defenses can’t protect your business. Of course, it’s not just social engineering you need to be wary of. Knowing how to recognize the suspicious activity of any kind is critical. If a hacker does manage to break through your defenses, the faster you spot the intrusion, the more damage you can prevent.
Vigilance is the key to strong cybersecurity. Relying just on encryption technology to protect your data won’t guarantee that your sensitive and mission-critical business information will stay out of the hands of cybercriminals.