Posted inInformation Technology / Politics / Thank You Sir May I Have Another

You Are the Security Breach

seasoned_geek by seasoned_geek

If you are using XML, JSON, or the other trendy free text data transmission formats loved by script kiddies, you are the security breach. It’s possible your company doesn’t know it yet, but they will.

Seriously people, I’ve seen XML doing this:

<ssn>123-45-6789</ssn>

How about JSON doing this?

{   
    "firstName": "John",
    "lastName": "Smith",   
    "ssn": "123-45-6789",

Laugh all you want, script kiddies code systems up like this all the time. They never went to school for a software engineering degree. They never learned how to develop software properly. I’ve run into some software developers with a degree in art history or something just as applicable but they all feel qualified to grab a scripting language and bang out an idiot phone app without thinking about proper design.

If your data matters you never use a free-text transmission format, ever.

I could not tell you how many times I heard

Oh we’re secure, we use SSL. They couldn’t call it Secure Socket Layer if it wasn’t secure.

 Yeah, right. Encryption buys you time, nothing more, and it doesn’t buy you years. With the ever increasing computational power of desktop computers, combined with the GPU muscle found on low cost video cards, “would take a super computer N years to crack” is just a myth. Do a search on eBay for “GT 730”. That card has 384 CUDA core (GPU processors) and can generally be found for $50 or less.

Whoever is trying to crack your encryption based on a collection of a sniffed packets doesn’t have to try every combination. They don’t even have to be watching, it can all be automated if you are using one of these formats. As soon as one attempt returns something like:

<firstName>John</firstName>

or

"firstName" : "John"

a little regular expression test can stop the crunching because they’ve cracked your packet. It can then try what worked on this packet on the next one. If your encryption method doesn’t rotate seeds and algorithms between packets, that’s it, you’re screwed. Cracking the first packet gave them the entire file.

It’s time to start licensing software developers. They need to obtain a degree from a legitimate Software Engineering program then pass a licensing exam before they are allowed to write software which gets released into the wild. Just look at Facebook. You can find a more detailed saga here.

Roland Hughes started his IT career in the early 1980s. He quickly became a consultant and president of Logikal Solutions, a software consulting firm specializing in OpenVMS application and C++/Qt touchscreen/embedded Linux development. Early in his career he became involved in what is now called cross platform development. Given the dearth of useful books on the subject he ventured into the world of professional author in 1995 writing the first of the "Zinc It!" book series for John Gordon Burke Publisher, Inc.

A decade later he released a massive (nearly 800 pages) tome "The Minimum You Need to Know to Be an OpenVMS Application Developer" which tried to encapsulate the essential skills gained over what was nearly a 20 year career at that point. From there "The Minimum You Need to Know" book series was born.

Three years later he wrote his first novel "Infinite Exposure" which got much notice from people involved in the banking and financial security worlds. Some of the attacks predicted in that book have since come to pass. While it was not originally intended to be a trilogy, it became the first book of "The Earth That Was" trilogy:
Infinite Exposure
Lesedi - The Greatest Lie Ever Told
John Smith - Last Known Survivor of the Microsoft Wars

When he is not consulting Roland Hughes posts about technology and sometimes politics on his blog. He also has regularly scheduled Sunday posts appearing on the Interesting Authors blog.