• Home
  • About John P.
  • Contact
  • Terms
  • Facebook
  • Google+
  • Instagram
  • LinkedIn
  • Pinterest
  • StumbleUpon
  • Twitter
  • YouTube

One Man's Blog

Specialization is for Insects.

  • 10 Best
  • Art
  • Computing
  • Fun Stuff
  • Gadgets
  • Videos
  • Photography
  • Travel
  • Tutorials
  • Health & Fitness
  • Politics
  • Thoughts
  • Food
  • Reviews
  • 10 Best
  • Art
  • Computing
  • Fun Stuff
  • Gadgets
  • Videos
  • Photography
  • Travel
  • Tutorials
  • Health & Fitness
  • Politics
  • Thoughts
  • Food
  • Reviews
Home / Security / Most Popular Banking Encryption Method Cracked

Most Popular Banking Encryption Method Cracked

John P.

January 30, 2007 By John P.

Secure LockAccording to the Epoch Times, in five years, the U.S. government will cease to use SHA-1 (Secure Hash Algorithm) and convert to a new and more advanced “hash” algorithm, according to the article “Security Cracked!” from New Scientist.

The reason for this change is that associate professor Wang Xiaoyun of Beijing’s Tsinghua University and Shandong University of Technology, and her associates, have already cracked SHA-1. This marks the fifth straight encryption method that Xiaoyun’s team has broken (SHA-1, MD5, HAVAL-128, MD4, and RIPEMD).

What does this mean for the rest of us?

Well, MD5 and SHA-1 are the two most extensively used hash algorithms in the world. These two main algorithms currently underpin many digital signature and other security schemes in use throughout the international community.

They are widely used in banking, securities, and e-commerce. In fact, SHA-1 has been recognized as the cornerstone for modern Internet security.

For example, whenever you login to your online bank account, or make a purchase from Amazon.com they tell you not to worry because “This transaction is protected by Secure Socket Layer Encryption”; well, guess what… That’s an SHA-1 encrypted session.

And if your company has set you up with a laptop and a VPN connection back to the corporate LAN, guess what? Yep, that’s an IPsec connection powered by SHA-1.

According to Bruce Schneier, who warned that this was coming 2 years ago:

For the average Internet user, this news is not a cause for panic. No one is going to be breaking digital signatures or reading encrypted messages anytime soon. The electronic world is no less secure after these announcements than it was before.

But there’s an old saying inside the NSA: “Attacks always get better; they never get worse.” Just as this week’s attack builds on other papers describing attacks against simplified versions of SHA-1, SHA-0, MD4, and MD5, other researchers will build on this result. The attack against SHA-1 will continue to improve, as others read about it and develop faster tricks, optimizations, etc. And Moore’s Law will continue to march forward, making even the existing attack faster and more affordable.

Jon Callas, PGP’s CTO, put it best: “It’s time to walk, but not run, to the fire exits. You don’t see smoke, but the fire alarms have gone off.”

SecureIDAll of this demonstrates why I keep repeatedly commenting on the lack of defense in depth at our financial institutions.

If banks and investment firms would implement an additional layer of protection beyond the simple password or challenge Q&A and move to something such as Secure ID tokens, it wouldn’t matter nearly as much if a password was compromised because without the correct random code to go along with it a hacker would still be out of luck.

Here is a great little video to explain what I’m talking about.

Related

Filed Under: Security Tagged With: Bank-of-America, Banking, China, Defense-in-Depth, Encryption, hacker, Security, Shopping, Smith-Barney

About John P.

John P. is a former CEO, former TV Show Host, and the Founder and Wizard behind Texas Metal Works. You can find him on Twitter, Facebook and LinkedIn. Feel free to send shoutouts, insults, and praise. Or Money. Money is good.

Comments

  1. internet haberleri says

    June 26, 2007 at 8:33 am

    Thanks, great post

John P’s Tweets

Tweets by johnpoz

John P. on Instagram

johnpoz

Ok, what we're gonna do, see, is jack this bitch u Ok, what we're gonna do, see, is jack this bitch up so high you need a ladder to get in it. Then put low profile tires on it.

Makes sense.
Let them eat turkey... I mean cake. Let them eat turkey... I mean cake.
Need I say more? Need I say more?
Cleaned my vehicles with @ArmorAllUSA Ultra Shine Cleaned my vehicles with @ArmorAllUSA Ultra Shine Wash Wipes. Here's the story! http://onemansblog.com/ultrawipes

#ArmorAll - #Ad - #YeeHaw
Tomorrow I'm getting my new forklift from @quality Tomorrow I'm getting my new forklift from @quality_equipment! Can't wait to start forking stuff. ;-)
Aaarrgh! What should I choose? Aaarrgh! What should I choose?
Have I died and gone to heaven? Have I died and gone to heaven?
Hard boiled chili quail eggs anyone? Hard boiled chili quail eggs anyone?
I'll take two! I'll take two!
This exists. This exists.
Over two pounds of pizza! Over two pounds of pizza!
Where should I start? Where should I start?
Give it a minute. You'll get it... Give it a minute. You'll get it...
Instagram post 17855855425047701 Instagram post 17855855425047701
Instagram post 17849137462070109 Instagram post 17849137462070109
It'll tickle yore innards! It'll tickle yore innards!
Instagram post 17855388973056226 Instagram post 17855388973056226
The @genyhitch is a massive 80 pound drop hitch wi The @genyhitch is a massive 80 pound drop hitch with a bonus - it can absorb the shock from twists, turns and bumps in the road, providing cushioning for both the tow vehicle and whatever it's pulling.
Who's up for some ghost pepper powder in their sal Who's up for some ghost pepper powder in their salt?
Downloading at around 140 MB/S. That's a full Gig Downloading at around 140 MB/S.  That's a full Gigabit download speed from the World of Warcraft servers to the new @Acer Predator desktop machine.
Follow on Instagram
This error message is only visible to WordPress admins

Copyright © 2021 · Local Media on Genesis Framework · WordPress · Log in

Follow Along for E-Mail Updates
Don't miss any of John P's craziness! Just shove your email address in the slot below and we'll take care of the rest! :-)
Arrow

Email: