August 18, 2015

Probably the quickest way for a security company to prompt an overwhelmingly hostile response from the security research community is to claim that its products and services are “unbreakable” by hackers. The second-fastest way to achieve that outcome is to have that statement come from an encryption company CEO who served several years in federal prison for his role in running a $210 million Ponzi scheme. Here’s the story of a company that managed to accomplish both at the same time and is now trying to learn from (and survive) the experience.

unbreakabletothecoreThanks to some aggressive marketing, Irvine, Calif. based security firm Secure Channels Inc. (SCI) and its CEO Richard Blech have been in the news quite a bit lately — mainly Blech being quoted in major publications such as NBC NewsPolitico and USA Today  — talking about how his firm’s “unbreakable” encryption technology might have prevented some of the larger consumer data breaches that have come to light in recent months.

Blech’s company, founded in 2014 and with his money, has been challenging the security community to test its unbreakable claim in a cleverly unwinnable series of contests: At the Black Hat Security conference in Las Vegas last year, the company offered a new BMW to anyone who could unlock a digital file that was encrypted with its “patented” technology.

At the RSA Security Conference this year in San Francisco, SCI offered a $50,000 bounty to anyone who could prove the feat. When no one showed up to claim the prizes, SCI issued press releases crowing about a victory for its products.

Turns out, Blech knows a thing or two about complex, unwinnable games: He pleaded guilty in 2003 of civil and criminal fraud charges and sentenced to six years in U.S. federal prison for running an international Ponzi scheme.

Once upon a time, Blech was the CEO of Credit Bancorp. Ltd., an investment firm that induced its customers to deposit securities, cash, and other assets in trust by promising the impossible: a “custodial dividend” based on the profits of “risk-less” arbitrage. Little did the company’s investors know at the time, but CBL was running a classic Ponzi scheme: Taking cash and other assets from new investors to make payments to earlier ones, creating the impression of sizable returns, prosecutors said. Blech was sentenced to 72 months in prison and was released in 2007.

THE UNBREAKABLE COMPETITION

humblethehacker

In April 2015, Lance James, a security researcher who has responded to challenges like the BMW and $50,000 prizes touted by SCI, began receiving taunting Tweets from Blech and Ross Harris, a particularly aggressive member of SCI’s sales team. That twitter thread (PDF) had started with WhiteHat Security CTO Jeremiah Grossman posting a picture of a $10,000 check that James was awarded from Telesign, a company that had put up the money after claiming that its StrongWebmail product was unhackable. Turns out, it wasn’t so strong; James and two other researchers found a flaw in the service and hacked the CEO’s email account. StrongWebmail never recovered from that marketing stunt.

James replied to Grossman that, coincidentally, he’d just received an email from SCI offering a BMW to anyone who could break the company’s crypto.

“When the crypto defeats you, we’ll give you a t-shirt, ‘Can’t touch this,’ you’ll wear it for a Tweet,” Blech teased James via Twitter on April 7, 2015. “Challenge accepted,” said James, owner of the security consultancy Unit 221b.  “Proprietary patented crypto is embarrassing in 2015. You should know better.”

As it happens, encrypting a file with your closed, proprietary encryption technology and then daring the experts to break it is not exactly the way you prove its strength or gain the confidence of the security community in general. Experts in encryption tend to subscribe to an idea known as Kerckhoff’s principle when deciding the relative strength and merits of any single cryptosystem: Put simply, a core tenet of Kerckhoff’s principle holds that “one ought to design systems under the assumption that the enemy will gain full familiarity with them.”

Translation: If you want people to take you seriously, put your encryption technology on full view of the security community (minus your private encryption keys), and let them see if they can break the system.

James said he let it go when SCI refused to talk seriously about sharing its cryptography solution, only to hear again this past weekend from SCI’s director of marketing Deirdre “Dee” Murphy on Twitter that his dismissal of their challenge proved he was “obsolete.” Murphy later deleted the tweets, but some of them are saved here.

Nate Cardozo, a staff attorney at the nonprofit digital rights group Electronic Frontier Foundation (EFF), said companies that make claims of unbreakable technologies very often are effectively selling snake oil unless they put their products up for peer review.

“They don’t disclose their settings or what modes their ciphers are running in,” Cardozo said. “They have a patent which is laughably vague about what it’s actually doing, and yet their chief marketing officer insults security researchers on Twitter saying, ‘If our stuff is so insecure, just break it.'”

Cardozo was quick to add that although there is no indication whatsoever that Secure Channels Inc. is engaging in any kind of fraud, they are engaged in “wildly irresponsible marketing.”

“And that’s not good for anyone,” he said. “In the cryptography community, the way you prove your system is secure is you put it up to peer review, you get third party audits, you publish specifications, etc. Apple’s not open-source and they do all of that. You can download the security white paper and see everything that iMessage is doing. The same is true for WhatsApp and PGP. When we see companies like Secure Channel treating crypto like a black box, that raises red flags. Any company making such claims deserves scrutiny, but because we can’t scrutinize the actual cryptography they’re using, we have to scrutinize the company itself.”

THE INTERVIEW

I couldn’t believe that any security company — let alone a firm that was trying to break into the encryption industry (a business that requires precision perhaps beyond any other, no less) — could make so many basic errors and miscalculations, so I started digging deeper into SCI and its origins. At the same time I requested and was granted an interview with Blech and his team.

I learned that SCI is actually licensing its much-vaunted, patented encryption technology from a Swiss firm by the same name – Secure Channels SA. Malcolm Hutchinson, president and CEO at Secure Channels SA, said he and his colleagues have been “totally dismayed at the level of marketing hype being used by SCI.”

“In hindsight, the mistake we made was licensing SCI to use the Secure Channel name, as this has led to a blurring of the distinction between the owner of the IP and the licensee of that IP which has been exploited,” he told KrebsOnSecurity in an email exchange.

SCI’s CEO Blech has been quoted in the news media saying the company has multiple U.S. government clients. When asked at the outset of a phone interview to name some of those government clients, Blech said he was unable to because they were all “three-letter agencies.” He mentioned instead a deal with MicroTech, a technology integrator that does work with a number of government agencies. When asked whether SCI was actually doing any work for any government clients via its relationship with MicroTech, Blech conceded that it was not.

“We’re on their GSA schedule and in a flow with these agencies,” Blech said.

The same turned out to be the case of another “client” Blech mentioned: American electronics firm Ingram Micro. Was anyone actually using SCI’s technology because of the Ingram relationship? Well, no, not yet.

Did the company actually have any paying clients, I asked? Blech said yes, SCI has three credit union clients in California, two who of whom couldn’t be disclosed because of confidentiality agreements. In what sense was the third credit union (La Loma Federal Credit Union) using SCI’s unbreakable encryption? As Blech explained it, SCI sent one of its employees to help the bank with a compliance audit, but La Loma FCU hasn’t actually deployed any of his products.

“They’re not ready for it, so we haven’t deployed it,” he said.

I asked Blech what about the gap in his resume roughly between 2003 and 2007. When he balked, I asked whether he’d advised all of his employees of his criminal record when they were hired? Yes, of course, he said (this, according to two former SCI employees, was not actually the case).

In any event, Blech seemed to know this subject was going to come up, and initially took ownership over the issue, although he said he never ran any Ponzi schemes.

“This is in my past and something I’ve addressed and paid my debt for in every way,” Blech said. “I took the approach that was going to get me home to my family the soonest. That meant cooperating with the government and not fighting them in a long, drawn-out battle. I took responsibility, financially and in every way I had to with this case.”

Then he added that it really wasn’t his fault. “There were people in my company that were in America while I was living in Europe that went out and did things inappropriately that got the attention of the authorities,” pointing out that virtually all of the money was returned to investors.

“I put more than $2 million of my own money into this company,” Blech said of SCI. “I could have hidden, and spent that to reinvent myself and sit on a beach in the Bahamas. But I didn’t do that.”

PATENTLY OBVIOUS?

Why in the world wouldn’t anyone want to deploy an unhackable security product? Perhaps because the product doesn’t offer much beyond existing encryption technologies to justify the expenditure?

The subject of all this hoopla — US Patent No. 8,744,078 B2, Issued June 3, 2014 — carries the title: “SYSTEM AND METHOD FOR SECURING MULTIPLE DATA SEGMENTS HAVING DIFFERENT LENGTHS USING PATTERN KEYS HAVING MULTIPLE DIFFERENT STRENGTHS.”

Put simply, SCI’s secret sauce is a process for taking existing encryption techniques (they only use vetted, established code libraries) and randomizing which one gets used to encrypt the file that needs to protected, and then encrypting the output with AES-256. Seems patently obvious, yet otherwise harmless. But how does this improve upon AES-256 — widely considered one of the most secure ciphers available today?

It’s not clear that it does. In case after case, we’ve seen security technologies that were previously secure compromised by the addition of functionality, features or implementations that are fundamentally flawed. In the case of the HeartBleed bug — a massive vulnerability in OpenSSL that enabled anyone to snoop on encrypted Web traffic — the bug was reportedly introduced accidentally by an OpenSSL volunteer programmer who intended to add new functionality to the widely-used standard.

Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security, pointed to another example: Acutrust, a once ambitious security firm that came up with a brilliant idea to combat phishing attacks, only to create a new problem in the process.

“Acutrust turned a normal [password] hash into a pretty picture as a convoluted way to prevent phishing and it made it super easy to brute-force every username and password offline, and didn’t help with phishing at all,” Hansen wrote in a Facebook message. “This article single handedly effectively put them out of business, FYI.”

All told, I spent more than an hour on the phone with Blech and his team. At the beginning of the call, it was clear that neither he nor any of his people were familiar with Kerckhoff’s principle, or even appreciated the idea that having their product publicly vetted might be a good thing. But by the end of the call, things seemed to be turning around.

At first, Blech said anyone who wanted to try to break the company’s technology needed only to look to its patent on file with the U.S. Patent & Trademark Office, which he said basically explained the whole thing. I took another look at SCI’s press release about its precious patent: “One of the most interesting things about technology is the personalities behind it,” the company’s own in-house media firm crowed. No question about that.

Early in the interview, Blech said he wouldn’t want to let just anyone and everyone have access to their product; the company would want to vet the potential testers. Later in the call, the tone had changed.

“Without the decryption key, even if you have the source code, not going to be able to get through it,” Blech said. “We don’t know the randomization sequence,” chosen by their technology when it is asked to encrypt a file, he said.

Now we were getting somewhere, or at least a whole lot closer to crotchety ole’ Kerckhoff’s principle. The company finally seemed opening up to the idea of an independent review. This was progress. But would SCI cease its “unhackable” marketing shenananigans until such time? SCI’s Marketing Director Deirdre Murphy was non-committal, suggesting that perhaps the company would find a less controversial way to describe their product, such as “impenetrable.” I just had to sigh and end the interview.

Just minutes after that call, I received an email from SCI’s outside public relations company stating that SCI would, in fact, be publishing a request for proposal for independent testing of its technology:

“As an early stage company we were focused on coming to market and channel partnering.  We now realize that specific infosec industry norms around independent need to be met – and quickly.  We’ve been using the peer review and testing of existing partners, advanced prospects and early engagements up until now. WE hear the infosec community’s feedback on testing, and look forward to engaging in independently conducted tests.  We are today publishing requests for proposals for such testing.”

“We realize that sometimes a technology innovator’s earliest critics can be their best sources of feedback. We hope to solicit constructive involvement from  the infosec community and some of its vast array of experts.”

Kerckhoff would be so proud.


75 thoughts on “How Not to Start an Encryption Company

  1. CooloutAC

    So the NSA is just godlike smart and never messes anything up? I doubt that, in fact, I think prism like technology is the only thing they have that can one up your top blackhat organizations, which severely outnumber whitehats imo. And probably on of the main reasons for its existence. I think alot of really super smart technical people in this day and age don’t go working for the gov’t, or open sourced projects unfortunately. There is not enough money in it for them. Linus Torvalds has also publicly admitted that blackhats are way more technical and smart then the whitehats he talks to.

    I can see an actual security tool being open sourced to prove it works the way a user wants it to or to learn from it, or something open sourced to prove it has no intentional backdoors or malicious functions. But generally regarding 3rd party attackers there is no proof that open sourced software is more or less secure then proprietary. There are arguments for both cases. And if your argument is the crypto can’t be defeated because information about how it works is kept secret, then that doesn’t seem to favor fondly on a need for open source regarding security.

    Look at heartbleed, or even worse shellshock, or this latest x86 exploit. The latter two being the most devastating exploitable bugs known in the history of computing and have been around for over 20 years. On the same token, blackhats almost never use source code when breaking and exploiting apps…. so security as an argument for either is null imo.

    So lets be real, you white hat security guys are saying you need the source code to crack it, the NSA doesn’t provide the source code for their crypto because they consider that a security risk, and the real threat of proprietary software is the mal intentions of the developers and authors, not 3rd parties exploiting incompetence and flaws.

    1. Ian McKenzie

      There is a much more nuanced discussion to be had about the open source and community based project developments that the modern Internet and the technologies which power it are largely founded on in comparison to for-profit proprietary software/intellectual property. Nobody is asking for this companies source code, however, that would be great. To be taken seriously as a security product in a hostile commercial environment you are expected to provide a certain amount of information and demonstrate where possible. If you can’t do this, don’t expect to last long in this market.

  2. CooloutAC

    They won’t last long because of disgruntled security researchers slandering them, or because you assume their crytpo will be cracked?

    What I find interesting is how a guy convicted of fraud could get so many big players in the computer industry to partner with him and even have federal agencies interested, or how he can be quoted by so many reputable technology news sites.

    I’m just pondering here, but maybe its because it takes a scam artist to figure out a scam artist? lmao Many hackers, mostly blackhats themselves, consider social engineering and the human factor the biggest security flaw in a company. Many people slander Kevin Mitnick similarly, Saying he is overhyped and doesn’t have real skillz, But lets face it, the guy is a master at social engineering and the most famous hacker alive, regardless of how you rate his technical ability. I think the guy compromises people everywhere he goes, to this day, because he is addicted to it. You don’t have to be a computer genius to compromise someone, especially nowadays with kids using for hire services and products. This dying industry needs to lose that arrogance fast. I believe most of the time its like the guy that robs your house, its someone you know, and those are the people you need to protect yourself against most. And I don’t think Richard Blech or Kevin Mitnick argue otherwise and thats part of their security strategy.

    1. Ian McKenzie

      Won’t last long because their apparent current business model treats one of the most serious issues facing us today as a marketing gimmick. Brian’s article explains it all rather well I think but as some others have commented, anyone trying to vet this company as a potential vendor is going to take issue with their approach and lack of transparency on the technical side. This isn’t a new concept and would only be surprising to someone new to the industry or not very well connected to what has occurred over the last few years.

      1. Bob "Buzz" Akerz

        Ian, you seem to only rely on this report without verifying yourself. I made a simple check of their website and it has as much if not more resource information available as any other cybersecurity company. They don’t appear to be hiding anything and in fact, looks like they have information overkill. There is a white paper of technical brief for every technology or product they offer.

        From the looks of this article, Brian didn’t bother to check their website either and just went with the agenda he had, which was clearly not to be objective. Many cyber companies are bombastic with their marketing and sales to attract attention, but when you get to the technical papers, it’s serious and detailed.

        This whole story was just a bunch of puff for nothing.

          1. Bob "Buzz" Akerz

            I don’t know Ian, what is your innuendo here? Are trying to say that as a result of this crack “investigative reporting” that they just threw up all these white papers and technical briefs? Incredible the lack of research done by the reporter here and the members that comment.

            Naturally, the only reference to the company in this report, is a contest site about a hacking contest, not the actual corporate site.

            It looks like the company has some extensive cyber breach insurance coverage. I wonder how they could have gt that without being examined?

            I used to think a lot of this blog, hopefully this “report” is just an outlier and not what we should be expecting from now on.

            1. Ian McKenzie

              No innuendo was intended. Plenty of us who frequent Brian’s blog are in industries that utilize bleeding edge security technology. It would be wise for any up and coming business to consider such opinions instead of becoming defensive and indeed it seems they began to near the end of the interview. Suffice it to say the market will decide.

  3. 5th try

    Lets see if my 5th try at posting works…. other 4 must have been mysteriously filtered.

Comments are closed.