Re: Re: choice-point screw-up and secure hashes

["Kurt Seifried" <listuser () seifried org>]

Hashing SSN numbers and CC numbers doesn't matter unless you use a really 
huge salt that is stored seperately. Why? Not enough variation. A credit 
card number for example:

4520 1234 1234 1234

except the first 4 digits (4520) are the bank code, so for example in canada 
if you guess 4520 as the first 4 digits that's a safe guess since it's a 
Visa from TD Canadatrust (one of the big 3 banks here). You're now down to 
10^12 which isn't a very huge search space. The same goes for SSN's, they 
simply aren't long enough to be meaningful, in cannada our SIN number (same 
idea as your SSN) is only 9 digits long. That's a trivially shot search 
space.

To put it bluntly you basically can't store SSN/SIN/CC's in a "Secure" 
manner that obscures them significantly enough to prevent an attacker from 
brute forcing them unless you go to some extreme method, which companies 
won't do.

The sad part is there is NO (Zero, Nada, Zilch) incentive for companies to 
treat this data securely. Information for a hundred thousand people is 
stolen. So what? The company is not criminally liable in any way (I haven't 
heard of any laws yet). Civilly they're barely liable either. It'll be more 
of the same until we have laws with penalties for allowing theft of customer 
data. To bad insurance won't work, when a physical item is stolen it costs 
money to get a new one, and insurance companies won't pay out unless you 
took due care/diligence, OTOH if you steal all the electronic data (and even 
erase it) a company just restores from a backup and goes on with life.

Kurt 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/