Secure System Engineering and The Torah

I attended the session, “Open Sesame: Picking Locks with Cortana” at Black Hat 2018, in which presenters Tal Be’ery, Amichai Shulman, Ron Marcovich  and  Yuval Ron revealed several different ways to access private information on a locked PC using the Cortana voice assistant. First, they demonstrated what they called the “Voice of Esau” (VoE), in which an attacker could verbally command a locked machine to show images and previews of text files. If you have a file called “password,” then an attacker can see your passwords even if the machine is locked.

The presenters, all cyber security experts from Israel, then showed a far more dangerous threat, which they called “Open Sesame.” With Open Sesame, Be’ery, Shulman, Marcovich and Ron were able to instruct a locked machine to access malicious code by ordering it to open a compromised URL. Or, using voice commands to Cortana, an attacker could invoke a cloud-based application or open a Microsoft document containing exploit code.

This was quite eye-opening, but the presenters also offered an inadvertent lesson in Torah and its relevance to the field of cyber security. As a religious Jew, this subject is near and dear to my heart. It was pleasant to hear a Torah reference in the presentation, even though it was, in my view, slightly incorrect.

Isaac blessing Jacob by Govert Flinck (1615-1660)

Referring to the exploit as the “Voice of Esau” was most likely a reference to Genesis 27:22, which tells the story of the elderly, blind patriarch Isaac being tricked into the all-important blessing of the firstborn his younger son, Jacob, who has dressed himself up as his older brother Esau. (Esau is supposed to get the blessing, but Jacob substitutes himself before his father, who can only feel Jacob’s hands, covered in goat skins to make them seem like the hairy hands of his brother.) At that point, Isaac recites one of the more famous lines in the Torah, “The voice is the voice of Jacob, yet the hands are the hands of Esau.”

So, I think that Be’ery, Shulman, Marcovich and Ron actually meant the “Voice of Jacob” when they revealed a vulnerability based on voice trickery. Jacob was able to trick his father even though he couldn’t disguise his voice. He hacked his father, so to speak, to steal the blessing, much like Be’ery, Shulman, Marcovich and Ron verbally persuaded the PC into revealing secrets from behind a locked screen.

The broader interpretation of the line, “The voice is the voice of Jacob, yet the hands are the hands of Esau” is also instructive for cyber security. In moral terms, the phrase is thought to be a reminder not to be two-faced, to “speak in the voice of Jacob” but act “with the hands of Esau.” Yet, this is an apt description of a hacker as well. A hacker, perhaps who engages in social engineering, is very much acting with the hands of Esau but speaking in the voice of Jacob.

The challenge in cyber defense is to spot system users who are acting in this dualistic way. Artificial Intelligence and Machine Learning can help identify potentially malicious actors on a network. As Be’ery, Shulman, Marcovich and Ron suggested, though, there is an even more basic countermeasure to mitigate this sort of risk: Secure system engineering.

The security weakness in Cortana was accidentally designed into the Windows Operating System. Windows 10 includes several openings to an otherwise locked machine. They are there for convenience and user friendliness, but they are unsafe. The presenters cautioned against being too quick to open new entry points into an interface. They invite exploits. Secure system engineering is a discipline that gauges the security impact of a feature at the design stage with the idea of avoiding a Voice of Esau or Open Sesame type of vulnerability.

The Torah also discuses Secure system engineering, in an indirect way, but that’s for another blog.