Exclusive: Hannah Fry says ethical pledge needed in tech fields that will shape future
Mathematicians, computer engineers and scientists in related fields should take a Hippocratic oath to protect the public from powerful new technologies under development in laboratories and tech firms, a leading researcher has said.
The ethical pledge would commit scientists to think deeply about the possible applications of their work and compel them to pursue only those that, at the least, do no harm to society.
Despite being invisible, maths has a dramatic impact on our lives
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. A widely used Transport Layer Protocol, SSH is used to secure connections between clients and servers. SSH was basically designed as a replacement for conventional Telnet and for unsecured remote shell protocols such as the Berkeley rlogin, rsh, and rexec protocols. These protocols send critical information, such as passwords, in plain text format, and are susceptible to interception and disclosure using methods like packet analysis or deep packet inspection. The encryption used by SSH provides confidentiality and integrity of data over an unsecured network, such as the Internet.
How Does SSH Work?
The SSH protocol employs a client-server model for authentication and encryption of data transferred between them.
Negotiating Encryption for the Session
Version Exchange: When a TCP connection is made by a client, the server responds with the protocol versions it supports. If the client can match one of the acceptable protocol versions, the connection continues.
Key Exchange Initialization: To kick off the key exchange, both sides send a SSH_MSG_KEX_INIT message to each other, with a list of cryptographic primitives they support with their preference. These primitives are basic building blocks, used to perform key exchange and bulk data encryption. The following table (Tab.1) shows some examples of cryptographic primitives.
Diffie-Hellman Initialization: The key exchange begins by the client, generating an ephemeral key pair (private and associated public key) and sending its public key to the server in a, SSH_MSG_KEX_ECDH_INIT message (Fig. 2). The server checks the authorized_keys file of the account that the client is attempting to log into for the key ID. If strict key checking is enabled, and key is not found to be correct, the connection is rejected by the server thereby safeguarding the server from connecting with unknown clients. The key pair created will only be used during the key exchange and disposed afterwards. So, for an attacker it is extremely difficult to steal a private key while passively recording encrypted traffic. This property is called forward secrecy.
Diffie-Hellman Reply: On receiving SSH_MSG_KEX_ECDH_INIT message, server generates its own ephemeral key pair. The shared secret key K is generated by server, with its own key pair and client’s public key. After successful generation of shared secret an exchange hash H is generated (Fig. 3). The exchange hash is signed by server to generate its signature HS (Fig. 4).
The exchange hash and its signature serve several purposes:
• The signature or verification loop, of the exchange hash and its signature enables the client to verify whether the server has ownership of the host private key. If yes, the client is connected to the correct server.
• A faster handshake is achieved by signing the exchange hash instead of input to exchange hash.
The exchange hash is generated by taking the hash (either SHA256, SHA384 or SHA512, as per the key exchange algorithm) of the following fields:
• Magics M
• Server host public key (or certificate) HPub
• Client public key A
• Server public key B
• Shared secret K
Magics consists of client version, server version, clients SSH_MSG_KEXINIT message and server SSH_MSG_KEXINIT message. With this information in hand, the SSH_MSG_KEX_ECDH_REPLY message can be constructed by the server from the following:
• ephemeral public key of the server B,
• the host public key of the server HPub,
• and the signature on the exchange hash HS.
After SSH_MSG_KEX_ECDH_REPLY is received by client, the client can calculate the secret K and the exchange hash H.
The client extracts the host public key (or certificate) from SSH_MSG_KEX_ECDH_REPLY and verifies the signature of exchange hash HS, hence proving the ownership of the host private key.
In order to prevent Man-in-the-Middle (MITM) attacks, after the signature is validated, the host public key (or certificate) retrieved is checked against a local database of the trusted hosts; if this key (or certificate) is not trusted the connection is terminated.
If you have ever seen a message like below (Fig. 5), it means that the key presented is not in your local database of known hosts.
Authenticating the User’s Access to the Server
The next stage involves authenticating the user and deciding access. There are various mechanisms for authentication but which mechanism to use depends upon what purpose the server is configured for.
The simplest is password authentication, but this is highly not recommended due to complexities and automated password breaking scripts.
The most popular and recommended alternative is the use of SSH key pairs. SSH key pairs are asymmetric keys. The public key is used to encrypt data that can only be decrypted with the private key. The public key can be freely shared, because, although it can encrypt for the private key, there is no method of deriving the private key from the public key.
SSH provides a secured encrypted channel for configuration of remote servers, established by agreed cryptographic primitives, and user authentication by symmetric key pairs.
The following diagram shows various stages of SSH handshake in establishing a secured channel that uses a password authentication mechanism.
The cyber threat landscape is one of the most talked-about issues, across industries, currently. The dynamic nature of cyberattacks automatically transforms cybersecurity to be the complete opposite of a stable function. Cybercriminals and hackers are trying to find new ways to attack enterprise systems almost every single second. Trends change quickly – yesterday’s threats can become outdated the next day and what works as a cybersecurity measure today may well have no effect tomorrow.
No wonder then, that cybersecurity as a core enterprise function struggles with the talent gap. A Frost & Sullivan report observed that the global cybersecurity workforce will have more than 1.5 million vacancies by 2020. To fill this gap, enterprises need to be agile and think on their feet to procure cybersecurity talent.
If they don’t, it is more than likely that the consequences could be disastrous – faced with mounting cybersecurity threats of varied nature and dimensions, an enterprise could end up with unskilled personnel to deal with a real threat.
So how can enterprises find a sustainable solution to fill this gap?
Some pointers that enterprises can consider are –
Look beyond degrees
Cyberthreats and the knowledge to defend the enterprise against them are always outsmarting each other. The continuously changing nature of the cybersecurity threat landscape means that the knowledge on how to fight these threats is also ever-changing. That inherently means that this is not a skill or talent that can be really gauged by conventional degrees.
Hence, instead of conforming to norms and force-fitting cybersecurity graduates, enterprises must broaden their horizons. They must instead look beyond degrees and identify the inherent traits required to solve cybersecurity problems when they hire employees.
Look for a culture fit
To invest in good, reliable cybersecurity personnel, enterprises must identify certain cultural traits and aim for hiring along those lines. Candidates must be inquisitive with a knack for problem-solving and going into the depth of problems to understand them. They should be good at pressure handling and should always have a back-up plan. But, most importantly, they must have a bent of mind towards cybersecurity, understanding its significance, its importance and exhibiting cyber-secure behaviour in their own actions.
Invest in certifications
The best way to keep up with changing cybersecurity trends is to ensure personnel take certification courses which help them stay updated. Many organizations offer such certifications as a part of their Learning & Development calendar. To develop skill sets in the IT security domain for partner workforces, Seqrite also offers certification courses like Seqrite Certified Endpoint Security Professional and Seqrite Certified UM Professional, enabling professionals to demonstrate product features, configure security policies and deploy products in standard environments.
Develop and maintain strategic objectives
Ultimately, considering the criticality of cybersecurity for an enterprise, it is extremely important for it to begin at the board level of an organization. Enterprises must have clearly-defined strategies and policies on cybersecurity, outlining their protection mechanisms, what they are trying to achieve and how they execute plans.
This will ensure that enterprise cybersecurity has a roadmap and is not being dealt with in a casual manner, be it managing the talent gap or absorption of new cybersecurity talent. It is also important for enterprises to maintain cybersecurity programs within the organization and encourage upskilling.
By keeping the above pointers in mind, enterprises can sustain the growing cybersecurity challenge by opening a constant channel of highly upskilled cybersecurity professionals and cyber – secure the enterprise.
More than 50 universities in the UK have had their lack of cyber defences exposed, with security testers breaching their systems in under two hours.
The tests were conducted by Jisc, the agency that provides Internet services to the UK’s universities and research centres. The organisation’s penetration testers were successful in every attempt, accessing personal data of students and staff, finance systems and research networks.
These are highly targeted scam emails that are sent to senior personnel in an organisation. The hackers claim to be a trusted source, such as a colleague or a third party, and attempt to lure the victim into clicking a link or downloading an attachment that contains malware.
John Chapman, the head of Jisc’s security operations centre, warned that the vulnerabilities could be a sign of an impending “disastrous data breach or network outage”.
He added: “We are not confident that all UK universities are equipped with adequate cyber-security knowledge, skills and investment”.
“Cyber attacks are becoming more sophisticated and prevalent and universities can’t afford to stand still in the face of this constantly evolving threat.”
It’s not hard to see why Chapman would call these findings a disaster. The education sector is one of the most highly targeted by cyber criminals, with a recent freedom of information request revealing that there were more than 700 data breaches at UK schools and academies in 2018.
Meanwhile, the Times reported last year that there were 1,152 data breaches at UK universities in 2016–17, with many attacks geared towards stealing financial information and intellectual property.
Burden of responsibility
David Maguire, who chairs Jisc, says that universities “accrue huge amounts of data”, which “places a burden of responsibility on institutions, which must ensure the safety of online systems”.
Carsten Maple, the director of cyber security research at Warwick University, agrees that universities need to improve their defences urgently.
“Universities drive forward a lot of the research and development in the UK. Intellectual property takes years of know-how and costs a lot. […] Certainly somebody might attack a university and then provide that information to a nation state.”
Professor Maple added that criminals could make “a very good business case” for hacking universities because of the low costs incurred and their poor digital defences.
Dr Anton Grashion, the head of security practice at Cylance, concurs, telling the BBC that the open networks many universities run make them a “tempting and easily accessible” target.
He added: “It’s no surprise that universities are suffering from an increase in security breaches. Their network environments are some of the most challenging networks to manage, with usually smaller security and staffing budgets.”
Reducing cyber attacks through staff training
As the Jisc project demonstrates, cyber attacks are often caused by human error. Simple training can substantially reduce this risk. Our e-learning is a straightforward and cost-effective way to quickly train all staff and students in spotting threats.