SHA-1 Is Broken

  • Did you know that a Chinese team of researchers found that there were collisions in 2^69 hash operations instead of the predicted 2^80?!?!!? And they found collisions in SHA-1, the 58 round version, in only 2^33 operations!!! It's not horrible news, but it does sound the end for this encryption algorithm and it means we need to be searching for new ones.

    It's the middle of the month and the Cryptogram newsletter was released for March with some interesting items in there.

    If you understand the implications of this and are versed in how hash algorithms work in cryptography, please don't tell me. It's beyond me and my eyes glazed over while reading part of that section. I think it's neat and interesting, but I'm not smart enough to really understand it, so I kind of skimmed that one. 🙂

    There was an interesting article on two-factor authentication, which seems to be in the headlines more these days as a way to make systems more secure. Some of the phishing type attacks, however, aren't prevented by the additional authentication and it's worth reading. Not to scare you, but as I mentioned yesterday, to make you more aware so you can be prudent.

    This issue also mentions the ChoicePoint security breach with an interesting perspective to me. Choicepoint, which can affect so many people's financial lives, is a service that a user has no choice in using. Your credit history can be stored by them and you don't get to move it to some other company. In my mind, that's a much worse monopoly than Microsoft. At least with Microsoft you can choose to go elsewhere. I say that either the whole credit history database should be a competitive market where you can choose who stores your data, or make it a government entity.

    And disclose the breaches, as Boston College did on Thursday, with the suspected attack against its alumni database. So if you're a BU alum, beware of any marketing efforts in the near future.

    And if you need a free bicycle in Germany....

  • SHA is a hash algorithm, no encryption algorithm

    This might be interesting:

    http://groups.google.de/groups?hl=de&lr=&frame=right&th=7dee1e40ec9591fb&seekm=%23PKq%23RLFFHA.2832%40TK2MSFTNGP14.phx.gbl#link6

    --
    Frank Kalis
    Microsoft SQL Server MVP
    Webmaster: http://www.insidesql.org/blogs
    My blog: http://www.insidesql.org/blogs/frankkalis/[/url]

  • More info... Schneier's blog thread here:

    Schneier on Security: SHA-1 Broken

    K. Brian Kelley
    @kbriankelley

  • I hope you were joking when you made the statement that the database should be a government entity.  Think about that implication for a minute and "Big Brother" consequences.

  • This reply may get me booed off the forum but here goes...

    I've worked in the credit reporting industry for more than 25 years. There is plenty of competition between the 3 majors (Equifax, Trans Union, Experian). So much so that that the former network of more than 2,500 local credit bureaus affiliated with those systems is now down to about 2. Credit reports used to sell for over $1.50 and now large credit grantors purchase them for under 16 cents.

    The credit reporting industry takes very seriously the responsibility to protect your data. We perform on-site inspections of every new customer to try and determine that they have a right to access your credit information. The crooks are getting very good at meeting our requirements and looking very legitimate. The company that defrauded ChoicePoint, and the more than 140,000 consumers, setup 50 offices to commit its scam. There may have been many more fraudulent companies setup that applied to ChoicePoint for services and were denied.

    Even companies with legitimate business reasons to access credit reports have bad apples working for them. In one case an auto dealership in the North East had bad employees selling ID from legitimate car deals to thieves for $70 a pop. None of our due diligence can stop that on the front end. The dealership, the credit bureaus, as well as the consumers were victims.

    By in large, your credit information is safe and accurate. The last thing you want is to have the government in control of it. Current legislation prevents government agencies from having full access to your information for the very reason that lawmakers realize that such information does not need to be in the government's hands.

    Lastly, this deal at ChoicePoint affected 1 tenth of 1 percent of adult consumers. I'm not trying to minimize the impact on those lives affected but it isn't like every consumer's private personal information is an open book for all to read. Our industry has worked diligently to have in place appropriate protections. We are taken advantage of from time to time just like any other industry. And I believe it was ChoicePoint who notified the authorities of the suspicious behavior.

    Thanks for your ear.

    Bill (not Gates)

  • The problem with ChoicePoint isn't so much that they were penetrated. In the security realm we deal with the when, not if. We expect the attacks to come. We also plan for the situation for when an attack succeeds. Or at least, we're supposed to. That's why there's so much on forensics out there in the "book of knowledge." We know more than 99% of the folks will play fair if we do at least minimal things to apply security. We're worried about that small percentage that won't.

    And that leads me to ChoicePoint. Media coverage on ChoicePoint after the penetration has portrayed ChoicePoint being very unconcerned with investigating the full scope of the penetration. Nor do they seem too concerned with doing a better job of policing itself and putting in place more stringent audit and control mechanisms. If that media coverage is accurate, it's a sad, sad day.

    Yes, you're right, a false customer may get access to personal data and it's becoming increasingly difficult to stop such things as the criminal element gets more and more involved in penetrating computer systems. However, after you have determined it was a penetration, your audit systems should be able to tell you exactly what they got. ChoicePoint can't be 100% on the first. No one can. But they certain can on the 2nd.

    More here:

    Schneier's Blog: ChoicePoint Says "Please Regulate Me"

    K. Brian Kelley
    @kbriankelley

  • I'm sure that a majority of people at Choicepoint and the other agencys are concerned about the integrity and the safety of the information. But I'd also guess that it's a business and without compelling regulation to change, the management there will not do more than they have to. Nor will they do more than they need to as far as disclosure.

    I don't really want the government to handle this, but I don't like the fact that I cannot "choose" who I have hold my information. If I could specify that only Equifax could hold my data, then I'd bet the Choicepoint would be more concerned about winning me as a customer and try to do a better job. Maybe not, but I hope so.

  • Speaking from a credit reporting agency perspective (not ChoicePoint), we have a big incentive to "get it right." From my perspective, our foremost incentive is our own integrity and deep appreciation for the impact that our services have on the lives of every person in this country. But you also have to realize that our customers are not looking to deny loans, checking accounts, or auto deals. They want to finance individuals and make as many deals as possible.

    Given that motivation, we must have as much information as possible, but that information must also be accurate. Large credit grantors perform regular comparisons of our information in an effort to determine which of the three agencies has the most accurate information in given areas of the country. If all they wanted was a collection or judgment so a denial could be issued, we could just make up negative information.

    The issue with ChoicePoint is somewhat different. Depending upon the particular use of ChoicePoint's data, what they return varies.

    For example, ChoicePoint is a leading provider of employment background checks. Very careful verification of that information is performed to be certain that what is reported does indeed belong to the individual applicant. That accuracy is once again vital to their continued survival. Constantly providing inaccurate data will drive customers away. Once again, employer's are not looking to deny employment. ChoicePoint's employment background checks serve an important function. You wouldn't want that sex offender down in Florida working as a janitor at a daycare or as a cable guy doing installations in every home and apartment in town.

    In other areas, ChoicePoint performs data collection to help provide leads for law enforcement and to protect our national security. The use of the data comes with the understanding that it is simply providing investigative paths to follow. It is incumbent upon the user to decide which data to pursue and to conduct further investigation and verification of the data before proceeding or drawing conclusions. In the blog linked by Bkelly, the lady who received a copy of her ChoicePoint report was probably looking at this sort of report and certainly not an employment report. In fact, she even said of the Texas criminal information that the report stated verification was necessary. Of course, being a privacy advocate, it isn't possible that she would have any bias against ChoicePoint.

    I'm not trying to defend ChoicePoint but I do have a perspective from the inside of a similar and related industry. I know how Consumer's Union distorted information in their supposed investigation of the credit reporting industry several years back. The headlines read that more than half of all credit reports contain errors. That sounds terrible. But when you check out just what they found, they defined a credit report with an error to include reports that were missing an address, those that had 2 addresses out of order, and a report listed under the maiden name of a woman who recently married. Those "errors" would never cost one a job or result in the denial of a loan. In fact, they are not even errors. Yes, they did find some legitimate errors but the true percentage was more like 1 percent instead of 50. CU was just too eager to make an industry look bad.

    To ChoicePoint's credit, they provided consumer notifications beyond what is required by law. I am personally aware of their deep concern over this issue and their desire to adequately protect consumer information while providing a needed service. These days you can't have a haphazard approach to business and survive. I don't believe ChoicePoint has such an attitude. However, the press sure seems to want to make it appear that they do.

    Bill

  • If you follow one of Schneier's links in that blog post, you'll get back to where he talked about ChoicePoint a little earlier:

    Schneier blog: ChoicePoint

    First, ChoicePoint at first only complied with the law in Cali. Only after public outrage did they notify everyone. They didn't go above and beyond out of a sense of moral obligation. They did so after getting pounded in the court of public opinion. That doesn't back up the morality you're trying to attribute to that organization. To reinforce what Steve says, the majority of employees may, but the organization as a whole has portrayed a different attitude.

    Second, bad data is bad data. It doesn't matter that in belonged to privacy advocate. If her report had bad data, it's bad. Two of the three people cited in the MSNBC report were privacy advocates. Big deal. Here's why I say that... it would be one thing if they were intentionally playing a shell games with numbers. For instance, one cigarette company once said some 60% liked its product as much or more than its biggest competitor. Truth be told, more people actually liked the competitor, too. But some 40% didn't prefer either product over the other. Hence the reason they got away with the 60% number. The two privacy advocates weren't doing this. They were citing their own records. The third, a nurse, also had bad data. The nurse also asked what recourse she had that would effectively correct that data?

    Keep in mind ChoicePoint isn't like your industry. There are no laws regulating accuracy. There are no laws requiring a means of correction. Nor are there any laws outside of Cali requiring them to disclose when ChoicePoint's records have been compromised. Doing any of those things costs the company. So long as its bottom line isn't affected, why would they change the way they currently do business?

    K. Brian Kelley
    @kbriankelley

  • ChoicePoint, like our industry, is regulated by the FCRA and the recently passed FACT Act. FACT stands for Fair and Accurate Credit Transactions and applies to nearly all of ChoicePoint's services. Accuracy regulation is very much part of our lives.

    Bill

  • Bill,

    you may find that many in the security industry do not share the rosy view you've presented about ChoicePoint. If accuracy is now regulated for ChoicePoint, that's a good thing. However, who's doing the verifying? Can the end person, the one who the report is on, really trust the data in ChoicePoint's databases are valid?

    Some discussion on another mailing list about ChoicePoint:

    Full-Disclore March 2005 Archives (look for re: choice-point screw-up and secure hashes

    ChoicePoint execs aren't doing their best to help the company, either, as the sale of stock by two top execs (CEO and president) has raised an SEC probe. Why? Because they were selling stock after ChoicePoint knew of the intrusion but before it was known about publically.

    SEC Launches ChoicePoint Probe

    Finally, keep in mind this was a repeat performance by ChoicePoint. As the saying goes, "Fool me once, shame on you. Fool me twice, shame on me."

    ChoicePoint Was Targeted Before

    K. Brian Kelley
    @kbriankelley

Viewing 11 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic. Login to reply