• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Current News   »   Google, Microsoft, Yahoo fix email encryption flaw while others remain vulnerable

Google, Microsoft, Yahoo fix email encryption flaw while others remain vulnerable

  • Posted on:October 29, 2012
  • Posted in:Current News
  • Posted by:
    Trend Micro
0

A recently exposed weakness in a major email encryption standard has prompted several companies to update their messaging platforms, and a government advisory has urged others to do the same.

The issue relates to an email security standard known as DKIM, or DomainKeys Identified Mail, which embeds messages with a crytographic signature designed to verify the domain name that sent the message. The standard helps filter out spoofed messages from legitimate ones. However, improvements in computing power have made it possible to crack increasingly long keys.

In an advisory released on October 24, US-CERT cautioned that signing keys of less than 1,024 bits are now considered weak and that keys of up to 768 bits have been factored, or cracked. The threat arising from a weak encryption key is that a savvy party could impersonate a sender at a trusted domain, enabling spear phishing and other attacks.

In order to protect against this threat, US-CERT warned, system administrators should replace inadequate signing keys with updated versions that are longer than 1,024 bits.

A widespread weakness
US-CERT noted in its advisory that Google, Microsoft and Yahoo had all been affected by the encryption key issue and have since updated their systems to the more secure standard.

The problem came to light when Florida mathematician Zachary Harris received an email from a Google recruiter in December 2011 and noticed it was only using a 512-bit encryption key, according to a recent Wired article. Thinking the email might be a clever test, Harris cracked the key and sent a spoofed email from Google founder Sergey Brin to co-founder Larry Page. When he did not receive a response, and instead noticed Google had increased their encryption to a 2,048-bit standard, he realized he had stumbled across a legitimate weakness.

Looking into the issue, which he told Wired he previously knew nothing about, Harris found a number of other major sites using inadequate DKIM keys – which he classified as lengths of 384 bits, 512 bits and 768 bits – including PayPal, Yahoo, Amazon, eBay, Twitter, LinkedIn, Dell, Apple, HSBC, HP, US Bank and more. Google, eBay, Yahoo, Twitter and Amazon were all using 512-bit keys, while PayPal, LinkedIn, US Bank and HSBC were using the relatively more secure 768-bit keys.

“A 384-bit key I can factor on my laptop in 24 hours,” Harris told Wired. “The 512-bit keys I can factor in about 72 hours using Amazon Web Services for $75. And I did do a number of those. Then there are the 768-bit keys. Those are not factorable by a normal person like me with my resources alone. But the government of Iran probably could, or a large group with sufficient computing resources could pull it off.”

Danger for users
The effect of this weakness is that it can enable spear phishers – hackers using targeted phishing attacks – to bypass protective filters. By cracking the key, an attacker could send an email that appeared to be from Amazon CEO Jeff Bezos, for instance, both to the recipient and the system designed to verify the email as legitimate. The data security risk of such an attack is self-evident and considerable. Furthermore, the method is not terribly complex to a technologically savvy attacker, Harris warned, pointing out that his own expertise with DKIM was limited before the discovery.

In order to solve the problem, Harris explained, organizations can simply generate a longer key, although they must be careful to remove the existing shorter key in order to ensure it does not continue to be a target for attack. Google and others have already taken this step, and US-CERT has advised all system administrators to follow suit.

Security News from SimplySecurity.com by Trend Micro

Related posts:

  1. Researchers discover flaw in XML encryption
  2. The Ghost of Yahoo! Accounts Past
  3. Encryption in the Public Cloud: Advice for Security Techniques
  4. Customers may be overlooking security in Microsoft vs. Google cloud battle

Security Intelligence Blog

  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack
  • Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Answering IoT Security Questions for CISOs
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • How To Be An Informed Skeptic About Security Predictions
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Trend Micro Selected as Launch Partner for AWS Ingress Routing Service and Stalkerware on the Rise
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • The Shared Responsibility Model
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • What Worries CISOs Most In 2019

Follow Us

Trend Micro In The News

  • Trend Micro Takes On Palo Alto Networks With Cloud Conformity Buy
  • Trend Micro Partners with Snyk to Fix Vulnerabilities for DevOps
  • Trend Micro Partners With Snyk To Advance DevSecOps
  • Hackers to stress-test Facebook Portal at hacking contest
  • NEW TECH: Trend Micro inserts 'X' factor into 'EDR' - endpoint detection response
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.