Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

When Encryption Isn’t Enough

“The giraffe is probably dead” was the musician’s excuse for being late to our corporate event in Johannesburg. Someone had apparently been transporting the animal under an overpass with insufficient clearance. Result: traffic jam. I’ve heard creative excuses for being tardy, but the skepticism must have shown on my face because she added, “It’s all over the Twitter!” and showed me the Twitpic on her smartphone. I couldn’t help but bark a laugh, as did many around us.

“The giraffe is probably dead” was the musician’s excuse for being late to our corporate event in Johannesburg. Someone had apparently been transporting the animal under an overpass with insufficient clearance. Result: traffic jam. I’ve heard creative excuses for being tardy, but the skepticism must have shown on my face because she added, “It’s all over the Twitter!” and showed me the Twitpic on her smartphone. I couldn’t help but bark a laugh, as did many around us.

In a neat little coincidence, I had literally, just minutes before, finished a talk in which I used Twitter as an example of a social media company with a new focus on security and privacy. In the past, Twitter had been quite “unprivate.” It had used unencrypted communication—probably because all tweets are, by definition, public—so what would be the point of concealing tweets with encryption?

Twitter soon discovered the point: at the same time that Twitter became a popular medium for activists during upheavals like the Arab Spring, it also became a public net through which government agencies could monitor their citizens. One set of public data revealed who follows whom on Twitter. If a person followed too many trouble-making Tweeters, he or she might get a late-night visit from the thought police.

In 2011, Twitter began encrypting all information between the (mostly) mobile endpoints and their own servers. This made it more difficult for monitoring agencies to determine a mobile user’s Twitter profile, and thereby that user’s follow list. More difficult, but not impossible.

Using a bit of clever math, monitoring agencies could still analyze a user’s encrypted Twitter stream and, because of the avatar profile image sizes associated with each Twitter account, make a pretty good guess at which other Twitter users they were following. How so? The common image formats (PNG, JPG) compress visual data. When compressed data is encrypted, the size of the resulting ciphertext is deterministic, and relatively static! You can verify this yourself–encrypt a photo of yourself using different passwords and the resulting ciphertext will either be exactly the same size or close. In one famous demonstration of this technique, Vincent Berg of IOActive wrote a tool that was able to guess which map tiles were being pulled down from Google Maps, even though the stream was encrypted.

So, you know what’s really cool? Twitter addressed this problem by padding most avatar images to a constant boundary. I informally checked a handful of Twitter profile avatar images; they padded out to 16,298 bytes. Encrypted, they would be roughly the same length as well. This would make the images difficult to tell apart from each other, thereby increasing the overall privacy of the Twitter ecosystem. It was a simple, elegant fix that today may save lives and promote freedom of speech around the world.

Giraffe in a Truck

Figure 1 – Source: Thinus Botha / Twitter

Getting back to the giraffe. Later that night, we learned that it did indeed perish, much like what happened in the movie The Hangover III earlier this year. The hundreds of tweets and retweets about the giraffe harmlessly swirled around social media like so many leaves in the wind.

Advertisement. Scroll to continue reading.

Twitter users may be relatively safe, for now. What worries me, however, is that many activists all over the globe may be using other social media sites that aren’t as on top of it as Twitter with regards to cryptanalysis and privacy. Monitoring agencies may be able to catch citizenry in their surveillance nets by casting about only a little farther away than Twitter.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.