4. Insecure Cryptography Storage This threat ranks #7 in the OWASP Top 10 Application Security Risks 2010 Applies to sensitive data stored in a database: Developers do not encrypt the data Developers encrypt the data using weak encryption methods (e.g. home-grown algorithms, SHA-1, MD5) It is usually combined with other types of attacks Attackers can decipher the information if: They have the key Trial and error (attackers have the “hash values” and check against long lists of possible passwords for validity – eg: http://hashcrack.com/index.php, rainbow tables)
5. Implications for businesses Both users and companies may suffer Data is one of the most valuable assets for a company Main implications Legal issues: companies are accountable for the data they store and the use (and misuse) of that data Privacy violation Identity theft Fraud Example: iTunes accounts in July 2010 and January 2011 “I will never use my debit card with Itunes again” –tofublock Reputation: the image of the company can be seriously damaged Confidential information: secrets, patents, research... can be stolen
6. Recommendations Encrypt the data if it is sensitive! Do not use: your own algorithms weak algorithms that have been proved to be vulnerable (MD5, SHA-1) Use: Strong algorithms SHA-2, SHA-3 (2012) Salt (generated random bits + info, e.g. f23r5jfaf+password) Random keys Asymmetric keys (one for ciphering, one for deciphering) Restrain who has access to the data Protect the key
9. References “Insecure Cryptographic Storage”, OWASP, 2010 B. Hardin, “Insecure Cryptographic Storage”, Miscellaneous security [online] http://misc-security.com/blog/2009/09/insecure-cryptographic-storage/ Cryptography, Wikipedia
Editor's Notes
Sensitive data: passwords, personal information, credit card numbers, health records…It is usually combined with other types of attacks (meaning that first the database needs to be accessed)Try 5f4dcc3b5aa765d61d8327deb882cf99 in http://hashcrack.com/index.phpOne of these “long lists” can be the dictionary…
Both users and companies might suffer. A user does not want his/her, for instance, credit card number stolen (this is privacy violation, and might lead to identity theft). In the same way, a company does not want its confidential information stolen, or data from its clients (because of legal issues).Legal issues: privacy, identity theft, fraud, data can be sold to competitors…iTunes case: credit cards info stolen + iTunes accounts stolen http://www.bbc.co.uk/news/technology-12127603, http://mashable.com/2010/07/04/itunes-accounts-hacked/
This are algorithms for store data, not for communicationsMD: Message-Digest AlgorithmSHA – Secure Hash AlgorithmProtect the key (do not store it together with the algorithm)Remember data encryption cannot assure:- Integrity of the data (is the information correct and accurate?)-The authenticity of the datahttp://listverse.com/2007/10/01/top-10-uncracked-codes/