“Don’t Eat Your Hash without Salt”- Zappos Data Theft February 29, 2012Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: Chris Mark, cybersecurity, data breach, hashing, InfoSec, mark consulting group, MD5, security, zappos
On January 12, 2017 it was announced on MSNBC.com that an Amazon owned shoe company, Zappos, experienced a data breach of more than 24 million accounts. According to the report, the breach captured the names, email addresses, telephone numbers, last four digits of the credit card, and the “cryptographically scrambled passwords”. The report on MSNBC then states: “Using the clues gleaned from Zappos accounts, the hackers may now have enough clues to gain access to a user’s e-mail or other important accounts. So while Zappos passwords may still be relatively secure, all those other pieces of information can offer clues to a user’s password. That information can also be used to answer a weak set of security questions correctly.” Unfortunately, this article is somewhat misleading.
The description of ‘cryptographically scrambled’ passwords is referring to passwords that have been stored using one-way cryptographic functions known as ‘hashing algorithms’. A hashing algorithm like MD5, SHA1, SHA256 is called ‘one way’ because the same input will always result in the same output. If given the output, it approaches mathematical impossibility (because nothing is truly impossible) to derive the input. Why would you want a ‘one way hash’ to secure passwords?
Simple. First, it is important to securely store passwords for the obvious reason that you don’t want the passwords exposed. Secondly, a one way hash is preferable because standard encryption does not provide ‘non repudiation’ or accountability. Consider the following. I input my password into a system. It is immediately hashed. As stated previously, the same input will always result in the same output but knowing the output does not allow someone to derive the input (see above). In this scenario the only place the password is stored is in my very small brain. The system is storing a ‘hash’ of the password that has no value. If an action is taken under my account, I cannot say that the administrator or anyone else took the action because it can be traced to my account. The admin does not have access to my password, simply the hash. So, overall hashing passwords is a good idea. Where the article may be mistaken is in their assertion that the passwords are ‘relatively safe’.
Remember where I said it approaches ‘mathematical impossibility’ to derive the input from the output of a hash? This is true IF one is trying to brute force the hash. There is another technique that the cybercriminals use. It is called Rainbow Tables. While brevity prevents rainbow tables from being addressed in this blog, you can read more about them here. At a high level, rainbow tables are tables of precomputed hashes. Instead of attempting to ‘reverse’ a hash a criminal simply takes the hash and compares it to a table using a lookup function (very simple explanation). With large enough rainbow tables, nearly any hash can be ‘broken’.
It is possible that Zappos was using a Salt function for their hash. (for non-techies, don’t laugh, this is what it is called 😉 A salt is a random bit of information that is used for an input into the one way hash algorithm. Remember that an input with always result in teh same output using a hashing algorithm. By adding a ‘salt’ to the hash it changes the output as the input has changed by the addition of the additional (secret) bit. It renders rainbow table attacks ineffective unless they have some insight into the salt.
The article is right in that the information stolen will allow criminals to begin deriving other information. More troubling is that if the passwords are converted to plaintext then it does create issues. Statistically, most people use the same one or two passwords for nearly all logins. This means that if their password is compromised the chance of other accounts be accessed is increased significantly.
So, while Zappos did have a breach, Kudos to Zappos for 1) protecting payment card data so only the last 4 digits were accessed. This is both compliant with PCI DSS and more secure. 2) Hashing their customer’s passwords. While hindsight is always 20/20 and I am sure Zappos will feel some pain from this breach, it could have been much, much worse.