The discredited cryptographic hash function SHA-1 is woven deep into the IT infrastructure on which organisations rely to do business safely. Now generally accepted as insecure, SHA-1 represents a ticking bomb for operations which fail to remove or disable the function - but many will be unaware they are at risk.
Unless organisations ask the right, very specific questions of their partners, service providers, and suppliers, as well as their own IT, they will not know if they are exposed to danger. Being assured that the latest encryption protocols are in place is not enough: as long as SHA-1 remains active within infrastructure, it will continue to pose a threat.
For retailers, the risk is financial, while for service providers, SHA-1 imperils reputation. The business impact of this faulty technological gene, deeply embedded in most IT security products, could be catastrophic – but the good news is that it is relatively easy to fix the problem. Everything hinges on recognising that the threat exists so action can be taken to remove it.
The clock is ticking
SHA-1 was designed by the United States National Security Agency and is used worldwide to authenticate files: passwords, website certificates, program updates, and so on. It works by generating a cryptographic hash result – a digital representation of a piece of stored or transmitted data, against which comparisons can be made to verify a file has been unaltered. If both hashes are identical, the transmitted data can be considered genuine and unaltered.
But cryptanalysts have been increasingly concerned about the vulnerability of SHA-1, believed to be involved in the 2012 LinkedIn hack which saw 6.5 million user accounts compromised. Then, in February this year, researchers succeeded in generating a “hash collision” for two different documents using the encryption algorithm: both files hashed to the same value. By cryptographic standards, the algorithm was officially broken.
As a highly technical element of the encryption process, the hash function may be a mystery to most business people – but it needs to be on the C-suite's radar. With the right level of computing power and technique, hackers can generate identical checksums for files supposedly protected by SHA-1, opening the door to spoofing. Rogue data appears genuine and systems are tricked into interacting with malicious software.
Cyber-criminals are now throwing resources at SHA-1 in a bid to prise it wide open. We estimate that within a couple of years virtually anybody on a desktop machine will be able to crack it. Businesses must act now to remove the developing threat.
Don't leave the window open when you lock the door
The risk does not disappear automatically when encryption infrastructure is upgraded. If SHA-1 remains enabled on a system after the switch is made to using a more secure hash, it can still be exploited. SHA-1 must be actively removed or disabled.
So businesses must guard against empty assurances that encryption and authentication processes are “world class” or “bang up-to-date”. Asking providers generic questions about security guarantees nothing: a business needs to know whether a provider has reviewed their products for SHA-1 specifically and taken appropriate action.
If you think of hash functions as potential entry points to a building you want to secure, the risk becomes obvious. You can put a state-of-the-art electronic lock on the front door, but unless you also remove the big glass window next to it, the new lock is a useless attempt to improve security.
Google recognised this upcoming threat a few years ago and, despite initial accusations of scaremongering, made changes to its Chrome browser so it now warns users that a website may be insecure if it detects the use of SHA-1. The smaller web browser Opera does the same, but elsewhere there are precious few examples of this threat being taken seriously and tackled. The IT industry needs to proactively hunt down and remove SHA-1.
Ask the right questions
CEOs can make sure SHA-1 is not putting the business at risk by asking three clear questions:
1. Do we know what hash functions are used in our cyber-security suite?
2. Have we reviewed our cyber-security to ensure that the SHA-1 function is not being used anywhere, even indirectly?
3. Have we asked the same questions of our key partners and suppliers with whom we do electronic transactions?
Focus attention on systems that have been developed internally and on products that may not have been reviewed for some time, and measure the cost of upgrading IT security against the potential cost of fraud, both to the bottom line and to reputation.
Most properly constructed security products should be able to fix the SHA-1 problem relatively easily.
Contributed by David Cohen, principal consultant, Mason Advisory
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.