How to trap a thieving monkey
In parts of rural India, villagers have devised an ingenious method to trap troops of monkeys that regularly raid villages for food. The villagers fashion pots with very narrow openings, tie them to trees, and place sweetmeats or fruits inside these pots. Along come the monkeys, and stick their hands into these pots in order to grab the food inside them.
But once the simians have grabbed them, their clenched fists are now too large to pull out of the narrow opening that their unclenched fingers first went into to get at the treats. They sit forlornly beside their pots, unwilling to let go of their precious treats, and hence unable to remove their hands from the pot.
This method is akin to fishing since it sets a bait, but this bait has no hook attached. The hook is simply the monkey’s own greed.
The villagers come by later and unhurriedly round up the simians, who have become prisoners of their own accord, and deposit them at a safe distance away from their hamlets. Tempted as I am to ponder the life lessons from this story for many of us who, unable to let go of our desires, behave just like these monkeys, this is a column about information technology, and so let me elaborate on that theme here.
Those of us who are online are forever at risk from marauding monkeys in the form of hackers. And the information technology equivalent of moats, fortresses, and watchtowers through passwords, virus protection, firewalls, and so on have not allowed us to keep the hackers out of our systems.
The scale of the hackers’ attacks also seems to go up in geometric progression. The fallout from the recently disclosed security breaches such as the one at Equifax in the US, where up to 145 million people—about half of all Americans—may now find themselves subject to identity theft, and ensuing fraud, is truly disturbing. It seems like finding sufficient security to police our computer systems is much like the process of developing vaccines for new strains of viruses as swine flu mutates into bird flu or whatever the next strain is; the efforts are always post-facto, and all we can do is shut the stable door after the horse has bolted.
But there is hope. Diogo Mónica, a security specialist who runs the eponymous blog diogomonica.com, recently published a post detailing how some firms are now attempting a different way to keep data safe.
In the post, Mónica speaks of a method that he and Nathan McCauley, a colleague of his, came up with a few years ago, when both men were at the payments firm Square. It is called “crypto-anchoring”, and is based on the same idea that keeps the monkeys trapped. A crypto-anchor is a service that forces a data-flow to only be available within the boundaries of a company’s infrastructure.
Today’s hackers infiltrate a company’s electronic fortress and quickly exfiltrate sensitive information like passwords, social security numbers, (and God forbid, Aadhaar numbers). After having exfiltrated the information, the hackers can then crack passwords and other sensitive data—even if these data are encrypted—at their own leisure, since the stolen data now resides on computers under their control.
In his blog, Mónica recommends a method for targets to change their systems architecture such that the attackers are forced to remain within the target’s computer infrastructure environment for an extended period of time before they can access and steal sensitive data.
This can be achieved with the use of a piece of hardware that is physically located inside a company or a cloud provider’s data centre. Such pieces of hardware already exist, and are called Hardware Security Modules, or HSMs.
Linking sensitive data to a key that can only be generated by the HSM would force the attacker to linger within the host company’s environment in order to extract the data. When a computer within the company’s infrastructure attempts to access data, whether an authorized user, or from a hacked server, the HSM acts like a security guard, using its physically resident key to decrypt each query one by one.
Companies can set the HSM to control the flow of decryptions. This means that even if the hackers have taken over a computer that has access to a target database, they can’t simply decamp with a large hoard of data. They stay “anchored” inside the company’s infrastructure, waiting for the HSM to slowly decrypt each bit of data. This can elongate a raid that now takes only a few hours into an effort that can take several months, during which time the hackers must remain active inside the victim’s infrastructure, and risk being caught.
While HSMs are not new, their use is not widespread. However, in a conversation with Wired magazine, Mónica said that he has learned in private conversations with some select Silicon Valley engineers that they have implemented something similar. “Every security-engineering team that’s really good is using some form of this,” he said.
Crypto-anchors alone are not enough, he says, since they can’t actually stop data theft; they can only slow the thieves down. That means all the other tools such as antiviruses, intrusion-detection and so on, will need to remain. But an architecture that by its very design limits how fast data can be decrypted and removed from the network could allow these tools to do their job much more effectively.
In his blog, he says that by designing computer applications in a way that ensures sensitive data-flows are crypto-anchored to the data centre, we will not only slow attackers down, but will get better information on what data was exposed, and most importantly, make attackers continuously risk detection by forcing them to operate in hostile territory.
We might at last have a tool to keep the thieving monkeys tied down.
Siddharth Pai is a world-renowned technology consultant who has personally led over $20 billion in complex, first-of-a-kind outsourcing transactions.
- New Delhi, Beijing agree maintaining peace vital for growth of bilateral ties
- Govt forms panel to review insolvency and bankruptcy code
- A property market slump may have ripple effects on innovation, productivity of staff
- I-T issues draft norms allowing foreign banks to convert local branches into wholly owned units
- Govt to decide on capital allocation based on bank business plans: SBI chief Rajnish Kumar