If you followed the news over the past week; you will likely have heard about the crowd-funding site Kickstarter and their breach of user details.
But how does such a high-profile breach occur? TelecomsTech reached out to an internet security expert contact for further details…
Our expert today is Nick Hatter; who has a background of exposing potential threats.
Hatter advises TelecomsTech that whilst Kickstarter uses a hash-based system to encrypt user passwords; these systems in general aren’t as secure as people may think – especially with the increasing amount of computing power available…
He provides us with an example: “My password could be ‘password’ and the SHA-1 (Secure Hashing Algorithm-1) hash is: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
If I were trying to crack what the password was, I would run the SHA-1 algorithm on a bunch of dictionary words. If you have big enough computing power, you can do it.”
Your best bet of something near-impenetrable would be something complicated like quantum-based cryptography which measures the characteristics of an ever-changing photon.
But is there any easy way of substantially increasing the security of using a hash-based system? No, but Hatter does have a method worth considering of at least slowing the attackers…
“One way to do that is to add a ‘salt’ to the hash i.e. when I compute the hash for a password; it would be sha-1(password + salt)
If you have a different salt for every user; that could slow attackers down enough that it would take quite a long time. You would have to brute force the SHA-1 for *every single user* using different salts. Compare that to doing it for all users without salt…
So even if you obtained access to the database; it would be hard to crack the passwords without the secret salt – which isn’t stored in the database.”
Kickstarter is confirmed to use ‘salt’ in their encryption methods for enhancing their security – a measure not employed by a vast majority of websites out there in the WWW. It does however show, it is anything but impenetrable.
Scarier, for the end-user, is that if someone has stolen a database of (even hashed) passwords — there are services where you can do a “reverse hash lookup” such as this.
Hatter demonstrated punching in the hash: “b70629d36f3cf2fcd224c012bc7b7cb58ad96e76”
… This returned: “coolbeans12”
So if this is your password dear reader, I’d change it now.
Part of the email Kickstarter sent to those affected is displayed below:
Update 1: Nick would like to remind you of the fundamentals of internet security:
1. Keep everything patched and up-to-date.
2. Make security the centre of your design; giftgaming (Nick’s startup) uses the Lift Framework which is secure from the top 10 OWASP vulnerabilities by default (xss, injection, csrf etc)
3. Never trust the user.
4. Think about security beyond just your app/server ie physical etc.
(All views are Nick Hatter’s own and do not represent his previous employer’s or associates’ views)
What do you think about the Kickstarter breach and the security advice offered here?