Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

When Encryption Isn’t Enough

“The giraffe is probably dead” was the musician’s excuse for being late to our corporate event in Johannesburg. Someone had apparently been transporting the animal under an overpass with insufficient clearance. Result: traffic jam. I’ve heard creative excuses for being tardy, but the skepticism must have shown on my face because she added, “It’s all over the Twitter!” and showed me the Twitpic on her smartphone. I couldn’t help but bark a laugh, as did many around us.

“The giraffe is probably dead” was the musician’s excuse for being late to our corporate event in Johannesburg. Someone had apparently been transporting the animal under an overpass with insufficient clearance. Result: traffic jam. I’ve heard creative excuses for being tardy, but the skepticism must have shown on my face because she added, “It’s all over the Twitter!” and showed me the Twitpic on her smartphone. I couldn’t help but bark a laugh, as did many around us.

In a neat little coincidence, I had literally, just minutes before, finished a talk in which I used Twitter as an example of a social media company with a new focus on security and privacy. In the past, Twitter had been quite “unprivate.” It had used unencrypted communication—probably because all tweets are, by definition, public—so what would be the point of concealing tweets with encryption?

Twitter soon discovered the point: at the same time that Twitter became a popular medium for activists during upheavals like the Arab Spring, it also became a public net through which government agencies could monitor their citizens. One set of public data revealed who follows whom on Twitter. If a person followed too many trouble-making Tweeters, he or she might get a late-night visit from the thought police.

In 2011, Twitter began encrypting all information between the (mostly) mobile endpoints and their own servers. This made it more difficult for monitoring agencies to determine a mobile user’s Twitter profile, and thereby that user’s follow list. More difficult, but not impossible.

Using a bit of clever math, monitoring agencies could still analyze a user’s encrypted Twitter stream and, because of the avatar profile image sizes associated with each Twitter account, make a pretty good guess at which other Twitter users they were following. How so? The common image formats (PNG, JPG) compress visual data. When compressed data is encrypted, the size of the resulting ciphertext is deterministic, and relatively static! You can verify this yourself–encrypt a photo of yourself using different passwords and the resulting ciphertext will either be exactly the same size or close. In one famous demonstration of this technique, Vincent Berg of IOActive wrote a tool that was able to guess which map tiles were being pulled down from Google Maps, even though the stream was encrypted.

So, you know what’s really cool? Twitter addressed this problem by padding most avatar images to a constant boundary. I informally checked a handful of Twitter profile avatar images; they padded out to 16,298 bytes. Encrypted, they would be roughly the same length as well. This would make the images difficult to tell apart from each other, thereby increasing the overall privacy of the Twitter ecosystem. It was a simple, elegant fix that today may save lives and promote freedom of speech around the world.

Giraffe in a Truck

Figure 1 – Source: Thinus Botha / Twitter

Getting back to the giraffe. Later that night, we learned that it did indeed perish, much like what happened in the movie The Hangover III earlier this year. The hundreds of tweets and retweets about the giraffe harmlessly swirled around social media like so many leaves in the wind.

Advertisement. Scroll to continue reading.

Twitter users may be relatively safe, for now. What worries me, however, is that many activists all over the globe may be using other social media sites that aren’t as on top of it as Twitter with regards to cryptanalysis and privacy. Monitoring agencies may be able to catch citizenry in their surveillance nets by casting about only a little farther away than Twitter.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.