Are You Talking To Me?
I had a conversation with a client recently. We’d just conducted a penetration test for his organisation and a number of cryptographic weakness findings had come up.
“These issues aren’t normally significant” he said. “Why are we failing now, when we were okay before?”.
A fair question, and one that deserves an answer. Here’s the summary:
Cryptography tends to start out strong, and gradually get weaker. Therefore, if you continually maintain support for old crypto, you’re becoming less secure and trustworthy. It might even be that your customers can’t even be sure that they’re talking directly to you instead of (or in addition to) the bad guys.
We’re at the point now where mainstream companies such as Microsoft, Mozilla and Google will no longer support weak crypto in their products. Combine this with the fact that there are many attacks targeting cryptographic weakness across a wide range of systems, and you have a situation where it is simply foolish not to react.
How does cryptographic weakness come about? Does crypto wear out? Almost, but not quite. Here’s why security tends to degrade over time if we don’t stay ahead.
- End-user compute power increases, making previously “uncrackable” cryptographic schemes crackable through sheer brute force. The resources previously available only to scientists and government agencies are now standard on every desktop.
- Inherent weaknesses are uncovered. Researchers are continually trying to break or disprove the underlying mathematics used in numerous crypto standards – many previously robust standards have subsequently been proven to be vulnerable to attack.
- Poor implementations are deployed. Sure, the maths looks good on paper, but by the time it is implemented in the real world, a vulnerability or two has slipped in. This should not be surprising though – software bugs and configuration mistakes are a simple fact of life and are actively researched by both legitimate cyber security professionals and cyber criminals too.
Although the buzzwords are recent, in some cases the weaknesses they represent have been known for decades. As new exploitation techniques are discovered and computing power advances, a tipping point is reached, suddenly turning an old theoretical vulnerability into a new threat. This can happen at short notice.
For this reason, the cyber security community is taking cryptography much more seriously than it did even five years ago. Attackers use crypto attacks to steal passwords or to eavesdrop on confidential communications.
For example, employees who use Public WiFi provided by hotels or coffee shops are particularly vulnerable. Connecting to work e-mail or VPNs in such circumstances provides the ideal opportunity for attackers to take advantage of weak crypto, and gain unauthorised access.
Microsoft, Mozilla and Google are making an example of organisations with insecure configurations by introducing scary warnings in their web browsers. For example, the following warning appeared in the Chrome browser as a result of Google’s policy to sunset support for the SHA-1 algorithm (which is used in part to create a digital signature for a web site)
What Can I Do About It?
An important piece of advice is to ensure that your staff or customers are not conditioned to ignore the kinds of warnings like the one shown above.
Requiring employees and customers to accept or ignore such warnings teaches them a careless attitude to cyber security. The warnings themselves also serve as an advertisement for attackers and can discredit your organisation, as it does not appear to be trustworthy or secure.
In support of this, ensure that all of your out-of-date or vulnerable systems are located and fixed. A great way to do this is to perform a regular penetration test. This will provide you with clear, actionable advice on where the issues are, and what to fix.