Monday, January 23, 2012

Encryption Matters

Online retailer Zappos recently announced that hackers have broken into its system and stolen personal customer information. They then notified the customers and advised them to change their passwords.

The hackers broke into the system through one of their offsite servers. They then found their way into the customer data files.

The files contained passwords for the customer accounts, which were encrypted. However, the company is concerned that the encryption may be broken through the use of rainbow tables. Such tables are pre-computed algorithms that can calculate in reverse the encryption ciphers and then reveal the original text of the passwords. A common defense against rainbow tables is the use of salted encryption, under which a layer of (salt) or unique identifiers is applied to the password files, which causes the ciphers to be unique to each password. Therefore solving one cipher does not open up the other passwords. The Zappos concern about the use of rainbow tables might be an indication that salted encryption was not used.

The big take-away from this incident is that the the type of encryption used in a system is critical. Most everyone knows by now that encryption of sensitive data is crucial to system security, but not everyone is aware of the many ways to execute the encryption and the risks that can accompany some of them.\

For a write-up on the announcement, check this link.

No comments: