Many U.S. Banks at Risk By Using Insecure Encryption Standards

As computers get faster and time passes, what was once uncrackable, now can be cracked. Many financial institutions that spend lots of money on security staff and equipment, haven’t audited their vulnerabilities as they relate to continued use of now crackable encryption. My personal audit of a handful of banks performed this week showed that more likely than not, banks are still using weak encryption cipher suites to secure end user online banking connections. Consumer grade computers can defeat 3DES in about two days time, yet many banks are continuing to allow that cipher suite to secure online banking transactions for their clients.

How Encryption is Used To Protect Us

Encryption algorithms are used to scramble and protect messages that travel between two or more computers, including emails, instant messages, and even web browser traffic.
Encryption algorithms are also used to validate the authenticity of a software or hardware firmware update as being legitimate.
If our smartphones and various internet enabled devices do not require strong encryption to serve important verification functions, then devices will continue to be compromised and companies, governments and individuals will all continue to be hacked.

When weak encryption algorithms continue to be used, root level control over those devices becomes a real concern and threat to national security. Teenage hackers and even terrorists have broad access to leaked CIA and NSA cyber weapons that can allow for take over of electronic IOT devices and persistence in our homes, be it our internet enabled Sonos, Dishwasher, Refrigerator, Thermostat, Smart Lightbulbs, VOIP Phones, IP Cameras, Smart TVs, Smart Phones, Routers, Automobiles or Computers. These attacks can occur from around the world. Many compromised devices have technical capabilities necessary to act as spy proxies and to even create fake cell phone networks in order to intercept calls and push out forged and harmful software updates.

Firmware is software that controls how various components of a computer or electronic device behaves. Forged firmware could be used to alter your smartphone or computer’s battery management functions and could be used to overclock computers while overcharging the batteries contained therein leading to explosions or fires in some cases. Imaging a terrorist attack that occurs at once where everyone’s computer devices all overheat at once and burst into flames!

It was revealed last month that the CIA lost control of Cyber Weapon implants that took control of most consumer WIFI routers. Presumably, many U.S. homes already have a compromised router that injects javascript into their browser when a user tries to access their online accounts, thereby creating a back channel for exfiltration of the users web activities. (See Cherry Blossom – https://wikileaks.org/vault7/)

Hardware rootkits that persist on board the motherboard takes malware to a new level and often beyond the capability of IT staff to remediate. Recently infected Princeton (W.Va.) Community Hospital replaced nearly 1,200 hard drives after it fell victim to a ransomware attack last week. Presumably, they were hit with “WannaCry” or “Not Petya”, both of which incorporated the leaked NSA Double Pulsar aka Eternal Blue exploit. If the malware was combined with other hardware rootkit persistence methods leaked to WikiLeaks and available on the dark web, then replacing all of those hard drives is a complete waste of time. http://wvmetronews.com/2017/06/30/princeton-hospital-to-replace-computer-hard-drives-after-cyber-attack/

If hardware becomes compromised such that a root kit loads from the motherboard microchips and other peripheral devices, replacing a hard drive on a compromised machine is futile in preventing future attacks, when the hardware’s firmware as been hacked.

This is all possible to accomplish because computer makers continue to support outdated encryption methods that sign drivers using SHA-1 or weaker encryption. Some say those older insecure certificate trusts are necessary to ensure backward compatibility. In my opinion, computer and peripheral makers should adopt and require SHA-256 signed driver and firmware updates by default. All Trusted Root Certificates that are SHA-1 or even MD5 should be completely removed from a default operating system such as Windows, Linux, Android, iOS, or OSX. If someone really wants to run old software, let them load up old, vulnerable and often expired certificates into their root trust, which leaves those devices vulnerable to a myriad of cyber attacks.

The U.S. Government issued warnings to agencies and the public not to continue to use the now deprecated SHA-1 encryption algorithm, which is no longer secure. Despite this, companies and financial institutions have not performed necessary audits of their external public facing servers that provide client’s access to online banking, or that are used to relay emails and other sensitive data transfer activities.

It is now known that encryption standards that used to be considered safe for protecting sensitive information, validating the authenticity of software/hardware updates are not secure and should not be used.

Some of these include:

  • Blowfish
  • 3DES
  • SHA1
  • MD5

Take a moment and check to see if any of your banking institutions are still supporting any of these weak and crackable security algorithms by visiting https://www.ssllabs.com/ and running a test against your banking provider. You may be surprised by what you find!

I describe in more detail how an attacker can compromise a bank client in situations where the bank continues to use these vulnerable encryption algorithms on my blog at http://glforensics.wpengine.com/3des-insecurities-pose-risk-to-many-financial-institutions-and-us-military/

Have a great weekend!

As of 7/7/2017, my bank was using insecure encryption protocols.

 

 

 

Facebook Comments

Be the first to comment on "Many U.S. Banks at Risk By Using Insecure Encryption Standards"

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.