The builders of digital trust

More than 5.3 exabytes of information are transferred via the internet every day. This is an enormous amount: all of the words ever uttered in human history could fit into the same space.

The first internet message in history was transmitted over the ARPANET network in 1969. The message was meant to go from University of California UCLA to Stanford University, just over 600 kilometres away. But the phone booth-sized computer switched off before it completed the transmission.

The first-ever message was a stump – LO.

Programming student Charley Kline didn’t give up, however, and turned the machine back on. UCLA messaged LOG, Stanford replied IN – and the researchers even confirmed over the telephone that these letters had in fact been delivered.

Today, more than 300 billion e-mails and 60 billion WhatsApp messages are sent around the world each day. The number of internet users is approaching 5 billion and the average time spent online is some 7 hours a day, most of which happens on mobiles.

Our everyday life became digital in just half a century. What or who makes sure that our online lives are secure?

Concealed images and key pairs

One such person is Aalto University Assistant Professor Chris Brzuska. He specialises in cryptography or encryption methods.

The word krypto is of Greek origin and refers to the hidden or the secret. The Greeks of antiquity would tattoo secret information in image form on the shaved scalps of their slaves and send them out. Once the slave arrived at the destination months later, their head would be shaved again, making the message readable.

Modern cryptography is based on maths and computer science.

‘It researches and develops methods that protect systems and their users from adversarial interference. Whenever data is transferred over the internet, it needs to be encrypted to prevent outsiders from hearing or reading it,’ Brzuska says.

The work is done by employing mathematical algorithms and encryption keys that scramble the message into a format, which can be decoded only with the right key.

There are two principal approaches to encryption: the symmetric-key method and the asymmetric or public-key method. In the first approach, the same key is used to encrypt and decrypt messages, requiring both sender and recipient to either know the key or find a way to transfer it via a secure channel.

Often this cannot be done.

This is when the public-key method is used. It is based on a key pair of a public-key and a secret-key such that the secret-key is hard to compute, given only the public-key. The pair’s public key encrypts the message, while the private key decrypts it. The parties only need to convey their public keys to each other to enable encryption.

‘It’s a really cool concept, without which the entire net’s encryption would collapse in an instant. When Whitfield Diffie and Martin Hellman came up with the idea, few people could have thought that it would have a practical application. Back in the 70s, it was inconceivable that someone would want to secret information with complete strangers,’ Chris Brzuska says.

Users typically don’t need to think about keys and algorithms, as these are handled by software applications and communications systems. Encryption protects instant messages, payment traffic and webpages alike – the letter s at the end of the https component of a web address specifically indicates that the resource is accessed via a secure, encrypted connection.

A trade-off is often necessary between security and functionality, making it necessary to choose how much of one you desire at the expense of the other. Brzuska notes that contactless payments provide an apt example of this: the downside of the convenience of this method is that, should a card fall into the wrong hands, it is easy to use it to make unauthorised purchases.

People are also affected unequally when protection fails.

‘Striving for equality is a major source of inspiration for me personally. Should a couple of hundred euro vanish from my account, I know what steps to take to get it back – and I won’t starve while waiting for the money. Not everyone is as privileged,’ Brzuska says.

Brzuska and his students have been involved in the effort to improve many widely used encryption protocols. A lot can be done but no matter how refined a mathematical model may be, it cannot cover every possible eventuality in the real world, he says.

Even the most sophisticated model can contain a hole or two.

Digital scouts

In January 2021, the United States Department of Defence tweeted about a fresh milestone: the number of vulnerabilities discovered in its information systems had just passed the 25k mark.

The US government’s annual data security budget is worth some €15b. Yet the tone of the tweet was celebratory instead of regretful – and for good reason, says HackerOne CEO Mårten Mickos.

‘Once bugs are discovered, they can also be fixed.’

HackerOne is a network of white hat hackers. Besides the Pentagon, its assistance is relied on by the likes of Google, Lufthansa, PayPal and Twitter.

The digital world has borrowed the term ‘white hat’ from the heroes of old Western films. A million white hats from around the world are already involved in HackerOne. Mickos describes them warmly as something like the girl scouts and boy scouts of the digital sphere, people with high morals, good hearts and a desire to lend a hand.

‘And they’re of course also incredibly smart and boundlessly curious. Most are men and women in their twenties, and almost all are self-taught. They have honed their problem-solving skills all their lives by doing the very thing their parents nagged them about – playing video games. For companies they are almost like lifeguards.’

Companies reward these hackers for discovering vulnerabilities, with the amount determined based on how serious the issue is. The reward for finding a critical bug that jeopardises, say, the operation of a factory or power plant putting the economy, health or security at risk can easily be tens of thousands of euro.

But it is important to find and patch also the bugs that appear harmless. Mårten Mickos compares the situation to a boat or a log cabin: a small hole won’t immediately sink or collapse it, but can be the start of a leak or provide access for breaking further in.

‘The hack of the credit reporting agency Equifax is a good example. It started from a single small vulnerability. For Equifax, the compensation, repairs and fines associated with this breach eventually cost some €1.5b. And, of course, the personal information of millions of people that got stolen couldn’t be returned for any price.’

Nobody knows the exact number of information security vulnerabilities in existence, but even the more careful estimates put it at hundreds of millions globally. Every 39 seconds, a black hat hacker launches a data security attack in some corner of the world. Among them are professional criminals, actors engaged in political warfare, reckless teenagers and simple thieves. For some robbers, getting away with €50 to feed their family is enough incentive for them to ignore the harm inflicted to a faceless stranger on the other side of the world.

But you shouldn’t let these numbers get you down, Mickos stresses. The digital world is still in the prototype stage and, just like the abovementioned log cabin, it can be shielded, patched up and any bad parts replaced entirely.

‘Like in the physical world, the good guys overwhelmingly outnumber the baddies in the digital sphere. The good guys are skilled, ambitious and prepared to share their knowledge. However, we do need better data security education, openness and collaboration against emergent threats, as the defence only wins when the opponent fails to get through even once.’

And defence cannot be the sole responsibility of the white hats.

Healthy distrust

The spread of the Covid-19 pandemic quickly became noticeable on Cyber Weather as well.

Cyber Weather is a monthly report on key information security incidents compiled by security expert Aino-Maria Väyrynen and her colleagues at the Finnish Transport and Communications Agency’s National Cyber Security Centre.

‘Up-to-date information is the best remedy against data security threats. Along with a dose of healthy distrust,’ she says.

Phishing for data and money through email is one of the information security threats most often of Covid-19, these messages began to repeat sad stories of job losses, bankruptcy and money troubles that the good recipient could perhaps help with.

Phishing is potentially very profitable for criminals because the returns are large relative to the risk and effort.

‘They also do it as their profession and are thus very good at it,’ Väyrynen says before listing some basic guidelines for a safe digital life.

Every service must have its own password, which is as difficult to guess as possible.

And because it is impossible to remember numerous strong passwords, you should install a password management application.

Two-factor authentication enhances security enormously and should be implemented in at least your email and social medial accounts. It can take the form of a password or a text message, as is often the case with payment transactions, or a separate app installed on the user’s phone.

It is wise to back up your data, either in the cloud or on your own devices.

Keep in mind that the authorities will never ask for your banking passwords, and you should never share them with anybody.

And if you have any doubts at all, take a pause.

‘Taking a breather is always a good idea. You should not rush into opening links and files sent by unknown sources. And if someone calls promising to fix your computer, requiring you to just grant them access to install a program, the question you should be asking yourself is: would a global corporation really have personal customer service this good? Many con artists will claim the matter is urgent, so that’s always a warning sign, too,’ Väyrynen points out.

Changes in the Cyber Weather are sudden and sharp. Social media, for example, has opened up entirely new opportunities for romantic swindlers who can drain their victims of money from behind fake profiles.

If Aino-Maria Väyrynen had to make a forecast, she’d say the next disturbing clouds will be associated with the Internet of Things.

The fact is that many devices, such as home appliances, are not designed to be linked with the web. And once they are connected, information security may well not be up to desired standards. A malicious neighbour might turn on your sprinkler, accessible through an open network, letting it flood the lawn around the clock for the duration of your family vacation. A spiteful ex could eavesdrop and peep in if your house contains unprotected microphones or cameras. A thief might crack a sloppily installed, web-visible locking system and break in.

Criminals will go where the citizens are, Väyrynen says.

‘This is why citizens need to pay their personal information security attention equal to that which they give to their home security.’

This article is published in the Aalto University Magazine issue 28, May 2021 (facsimile copy on issuu.com).