Guest post by April Bourne, LSS Black Belt, Xerox Manager Sales Enablement and Training, Research & Product Development
The changes in technology even over a few years can only be described as amazing. Today’s cutting edge will be replaced by something bigger, better, faster and more secure. I remember having a 1G hard drive on my work computer back in the late 90’s along with a Windows NT 3.1 operating system. My new Galaxy Note S9 phone has 512Gs of storage and can do more than my old PC could even dream of on a good day. I’d probably wither away from old age (and frustration) trying to perform similar functions performed on my phone, on that old PC.
In the 1970’s DES (Data Encryption Standard) was developed by IBM and the NSA. It was considered unbreakable until it was “broken” 20 years after its inception and subsequently replaced by AES (Advanced Encryption Standard). Today AES is considered “unbreakable” based on current computing power available to perform a successful brute force attack (when it is broken we might be colonized on Mars!) There are other security technologies once considered superior when introduced, that human ingenuity and time have made obsolete.
Replacing Obsolete Security Technologies
The hashing algorithm SHA-0 (Secure Hashing Algorithm) introduced in 1993, followed shortly thereafter by SHA-1, has been proven insecure after 20 years and replaced by SHA-2 in 2017. Let us not forget about SSL (Secure Socket Layer) introduced in 1996. The protocol was used to encrypt traffic to and from websites, but was deprecated and replaced by the then more secure TLS (Transport Layer Security) protocol in 2015. Current recommended versions of TLS are TLS 1.2 and TLS 1.3 as of June 30, 2018. This recommendation is mainly driven by credit card compliance standards under PCI DSS (Payment Card Industry Data Security Standard), since TLS 1.1 is no longer considered secure.
WEP (Wireless Encryption Protocol) released in 1997 by the IEEE, was considered to be a secure standard to protect wireless communications on 802.11 wireless networks. The security of the protocol however, was short lived and proven insecure in as little as two years. The technology had been widely adopted and was also used by many home network routers. Anyone however, with the right tools and even subpar hacking skills could successfully break WEP in less time than it takes to order a pizza.
Evolution of Wireless Protected Access
WPA (Wireless Protected Access) was introduced as an interim replacement for WEP in 2003 to address known security issues. WPA2 then replaced WPA in 2004 shortly after its initial release and all was good with the world. Our wireless communications using WPA2 were finally secure again…but surely not forever?
Time has continued to march on and now in 2018, WPA2 is now on its second known vulnerability, which also exploits weakness in the four-way handshake it uses to establish a secure connection. Attackers don’t have to be plastered in the middle of communications anymore; they can perform what is called an “offline” dictionary attack to determine a Wi-Fi password. An offline attack requires little interaction with the victim (as opposed to an online attack) and once the password is determined, the attacker now has the keys to your network kingdom. Your router only knows the right password and cannot determine a legitimate invited guest from an attacker, who may now work evil magic on all of your networked devices.
The issue isn’t the strength of encryption used, but how the four-way handshake functions that can allow attackers to take the gory business of hacking offline. Offline dictionary attacks allow attackers all the time required to run computer programs designed to find that special password which is: your favorite baseball team, your niece’s name, your dog’s name, your favorite car, your alma mater, etc. I think you get the picture.
Really Strong Password: Good News, Bad News
The good news is a strong password can help make this type of attack highly improbable. The bad news is you need a “really strong” password. Cybersecurity experts have been telling us the importance of strong passwords for at least 10 years. Humans may be good at innovation and creativity, but we seem to be very dull and quite predictable when it comes to passwords. For Pete’s sake, and yours, create STRONG passwords!
Given enough time, just about anything is possible to do or discover. Remember, humans did put a man on the moon and brought him back in one piece. The point is nothing is forever, nor will anything be secure forever, because as humans we have the creativity to keep innovating and pushing the envelope.
Never fear however, WPA 3 is on its way to save us all from password kryptonite, but please, don’t get too comfortable.