{"id":3443,"date":"2017-05-23T15:52:32","date_gmt":"2017-05-23T21:52:32","guid":{"rendered":"https:\/\/www.whitefirdesign.com\/blog\/?p=3443"},"modified":"2017-05-23T15:52:32","modified_gmt":"2017-05-23T21:52:32","slug":"checkmarx-fails-the-wikipedia-test","status":"publish","type":"post","link":"https:\/\/www.whitefirdesign.com\/blog\/2017\/05\/23\/checkmarx-fails-the-wikipedia-test\/","title":{"rendered":"Checkmarx Fails the Wikipedia Test"},"content":{"rendered":"<p>When looking at the poor state of the security industry one of the things we have noticed is that far too often you can get better information from the Wikipedia than you can from many in the security industry.<\/p>\n<p>One re-occuring issue we see is people in the security industry referring to dictionary attacks, which involves trying to log in using common passwords, as being brute force attacks, which involve trying to log in using every possible password. The Wikipedia by comparison\u00a0manages to accurately\u00a0describe both <a href=\"https:\/\/en.wikipedia.org\/wiki\/Dictionary_attack\">dictionary attacks<\/a> and <a href=\"https:\/\/en.wikipedia.org\/wiki\/Brute-force_attack\">brute force attack<\/a>. They even mention the contrast between them:<\/p>\n<blockquote><p>In contrast to a <a class=\"mw-redirect\" title=\"Brute force attack\" href=\"https:\/\/en.wikipedia.org\/wiki\/Brute_force_attack\">brute force attack<\/a>, where a large proportion of the <a title=\"Key space (cryptography)\" href=\"https:\/\/en.wikipedia.org\/wiki\/Key_space_(cryptography)\">key space<\/a> is searched systematically, a dictionary attack tries only those possibilities which are deemed most likely to succeed.<\/p><\/blockquote>\n<p>While looking for some information on the website of security company Checkmarx recently we ran across them not understanding the difference between hashing and encryption.<\/p>\n<p>The last sentence of an <a href=\"https:\/\/www.checkmarx.com\/2016\/09\/19\/is-your-website-safe-security-lessons-from-the-canadian-forum-hack\/\">article<\/a> looking at a hack of website is as follows:<\/p>\n<blockquote><p>Included in the leaked information of the VerticalScope forum and website users were their usernames, user IDs, email addresses and encrypted passwords.<\/p><\/blockquote>\n<p>For people that know about password security the use of encrypted passwords would seem rather odd and would indicate things were not being done securely.<\/p>\n<p>Further down the article it goes in to more details.<\/p>\n<blockquote><p>Finally, a vast majority of the passwords were encrypted using methods that were very easy to break using MD5 with salting and less than a couple million of the 45 million passwords were sufficiently encrypted.<\/p><\/blockquote>\n<p>That brings us to the first sentence of the second paragraph of the <a href=\"https:\/\/en.wikipedia.org\/wiki\/MD5\">Wikipedia article on MD5<\/a>:<\/p>\n<blockquote><p>Like most hash functions, MD5 is neither encryption nor encoding.<\/p><\/blockquote>\n<p>To understand why that matters, it helps to think of\u00a0hashing as one way encryption. When using that on a password the actual password is converted in to some other text, but unlike encryption you cannot decrypt it. That way even if someone gets a hold of the\u00a0stored versions of the password, say on a website, they can&#8217;t get the original password.<\/p>\n<p>If you wondering how the system then know how if the correct password is being entered in the future, the answer is that the password entered then is run through the hashing algorithm and the result is checked to see if it matches the stored version.<\/p>\n<p>The misuse of the term encryption continues in the article, even being used to promote one of Checkmark&#8217;s services:<\/p>\n<blockquote>\n<h2>The Importance of Proper Encryption<\/h2>\n<p>VerticalScope attempted to hash their passwords using MD5 with salting which security minded developers <a href=\"http:\/\/security.stackexchange.com\/questions\/61489\/is-salted-md5-or-salted-sha-considered-secure\" target=\"_blank\" rel=\"noopener noreferrer\">agree<\/a> is an \u201cemphatically poor choice\u201d when it comes to securing passwords. First designed in 1992, the MD5 algorithm is a hash function which produces a 128-bit hash value. As early as 1996, flaws were determined in the design of MD5 and in 2005 it became apparent that MD5 was not collision resistant, a key component for a secure encryption algorithm.<\/p>\n<h3>How to Ensure Proper Encryption<\/h3>\n<p>In addition to avoiding MD5 hashing as your method of choice, it\u2019s important to also avoid SHA-0 since it has been conclusively broken, SHA-1 as well as DES as it can be broken by the average desktop computer\u2019s GPU.<\/p>\n<p>&nbsp;<\/p>\n<p>When choosing your encryption method, be sure to focus on using a symmetric algorithm key size that is at least 168 bit and if you\u2019re dealing with financial transactions, use at least 256 bits. Ensuring that your application protects all cryptographic keys within the file system will also help ensure that your encrypted data is not exploited.<\/p>\n<p>Additionally, using a static code analysis solution to ensure that your application has sufficient encryption is also recommended as your developers will be able to mitigate any encryption issues at the earliest stages of the SDLC. Checkmarx\u2019s CxSAST scans and for and identifies encryption security issues in multiple languages including Java, CPP, JavaScript, Objective C, C++ and Perl.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>When looking at the poor state of the security industry one of the things we have noticed is that far too often you can get better information from the Wikipedia than you can from many in the security industry. One re-occuring issue we see is people in the security industry referring to dictionary attacks, which &hellip; <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2017\/05\/23\/checkmarx-fails-the-wikipedia-test\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Checkmarx Fails the Wikipedia Test&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[121,124],"class_list":["post-3443","post","type-post","status-publish","format-standard","hentry","category-bad-security","tag-checkmarx","tag-password-hashing"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/3443","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=3443"}],"version-history":[{"count":2,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/3443\/revisions"}],"predecessor-version":[{"id":3505,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/3443\/revisions\/3505"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=3443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=3443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=3443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}