April 13, 2018

Is Cryptography Your Cybersecurity Blind Spot? Lessons from Under Armour

David Maxwell, Chief Security Officer at Infosec Global

Headlines about cybersecurity attacks on major corporations are becoming predictable, sending customers scrambling to find out if their privacy has been compromised and forcing companies into crisis management. Last week fitness-wear giant Under Armour was the latest in a growing list. A data breach affected an estimated 150 million users of their food and nutrition application, MyFitnessPal. Shares of Under Armour fell as much as 4.6%, according to fortune.com.

The breach was similar to other highly publicized hacks at LinkedIn, where more than 100 million users were affected, and Yahoo, where 1 billion accounts were compromised. In all these incidents, hackers stole customer information that included usernames, email addresses and “hashed passwords.”

The breaches spark urgent questions about the state of current cryptography, and how and why hackers are breaking the codes. If companies want to avoid further, and possibly worse breaches, these questions must be addressed.

The need for defence in depth

Understanding the implications of data thefts like Under Armour’s requires a crash course in the role of cryptography in data security. The fundamental principle of security is not to put up one obstacle for attackers for overcome, but many. Firewalls come first, which protect access to the network. Cryptography comes last, which uses one-way mathematical processes to turn passwords into random-looking alphanumeric sequences, or “hashes.”

Many businesses take cryptography for granted

Cryptography is a vital, but often forgotten, level of protection for critical systems. It ensures the confidentiality, integrity and authentication of data by encoding it using various algorithms.

Compared to firewalls, backups and other security basics, cryptography tends to receive less attention from network administrators because of its pervasiveness and complexity. Beyond IT, there is a general lack of enterprise awareness of cryptography’s essential role in trustworthy security.

Current cryptography is strained to its limits

Today’s hyperconnected world relies on vast quantities of data constantly being encoded for digital safety and privacy, which has stretched most commonly used encryption methods beyond their design parameters. Other factors that are eroding the effectiveness of cryptography include:

Cryptography obsolescence: Any cryptographic algorithm becomes outdated and less secure over time as hackers exploit weaknesses in the underlying math. Old implementations have vulnerabilities exposed over time. 

Supply Chain Risk: Many organizations inherit risk from cryptography in third-party products and may not even be aware of what is in their systems.

The looming reality of quantum computing: Cryptographers have been warning for years that large-scale quantum computing, which could arrive in as little as a decade, will shatter even the toughest encryption codes in existence today.

Most organizations use at least some weak, outdated cryptography – often without knowing what part of their systems it’s in, its extent and what its impact could be.

Hackers thrive on weak cryptography

After Under Armour became aware of the breach, the company urged its customers to change their passwords immediately. In a memo to MyFitnessPal users, Under Armour revealed that it protected only “the majority” of passwords with the well-regarded bcrypt hashing function. The rest were hashed using the older SHA-1 function. The bcrypt function makes cracking the code extremely slow and resource-intensive for hackers, while SHA-1 is comparatively easy to break using brute-force attacks.

There are two broad categories of attack on private accounts:

Online attacks: An unauthorized party attempts to login as a legitimate user. Websites usually slow down potential hackers by using captchas (tests used to determine whether a user is human) after failed logins. They also use intentionally inserted delays to limit the speed of login attempts.


Offline attacks
: These types of attacks, like the one at Under Armour, are more dangerous. An unauthorized party manages to obtain the hashed user passwords and then runs a password cracker, with no inserted delays (except within algorithms such as bcrypt) and no limit on the number of computers deployed. Just one computer can test over 48 million passwords per second for SHA-1, versus four passwords per second for bcrypt.

Hackers can crack hashed passwords with alarming speed. According to thehackernews.com, it took just three minutes to decode more than 300 12-digit passwords hashed by MD5, an older algorithm than SHA-1. The site haveibeenpwned.com, which maintains a database of stolen user accounts, reports on 276 sites that have been compromised to date, accounting for 4.9 billion accounts – though this is not a definitive total since many data breaches go unreported. The need for cryptographic innovation will continue to rise exponentially as the world stays hyperconnected.

Interested in getting more visibility into the presence and effectiveness of cryptography in your organization?

InfoSec Global is launching the new AgileScan Cryptographic Threat Management solution, which can identify threats and manage/update cryptography from a centralized control interface, at RSA in San Francisco (April 16-20). To learn more visit https://www.infosecglobal.com/

David Maxwell, Chief Security Officer at InfoSec Global
April 13, 2018