Crypto is cracked: How not to fall in
Security admins need to stay ahead of vulnerabilities in the most reliable cryptography technologies, from HTTPS to AES
Follow @rogeragrimesOver the past few weeks, cracks have appeared in the cryptographic technologies on which organizations have long relied. These include the vulnerabilities in HTTPS-protected cookies and last week's hacking of RFID smart cards.
These developments should not come as too significant a surprise. Even demonstrably strong, time-tested crypto can be compromised, as attack methods and tools only improve. With enough time, every great encryption algorithm today will be tomorrow's cracked cipher. That's why all security administrators need to ensure that their enterprise's crypto keeps pace.
[ Download Roger Grimes's new "Data Loss Prevention Deep Dive" PDF expert guide today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]
A team of German scientists demonstrated the recent RFID hack. Through one, they were able to perfectly clone the kind of magnetic security card used to give workers in corporate or government buildings -- including NASA -- and as a daily ticket replacement on buses and subways. The demonstration made real the theoretical attack first proposed in 2002. Pulling off such an attack would require the perpetrator to have physical possession of the target card. The technique uses minute voltage changes in a cryptographic "side channel" attack to reveal the card's 112-bit secret 3DES encryption key.
The specified RFID card's vendor, Mifare, was notified six months ago of the attack, and the comedy emerges in the process of ending the marketing of the vulnerable card. That latter point is probably slight comfort to the millions of users of the existing cards. The good news is that most criminals don't have the expertise and equipment to pull off the attack. The real threat right now is to specific targeted, high-value companies from dedicated attackers. In most cases, there are far easier ways to compromise the intended victims to access otherwise protected information.
