You Are the Security Breach

September 22, 2019

If you are using XML, JSON, or the other trendy free text data transmission formats loved by script kiddies, you are the security breach. It’s possible your company doesn’t know it yet, but they will.

Seriously people, I’ve seen XML doing this:

<ssn>123-45-6789</ssn>

How about JSON doing this?

{   
    "firstName": "John",
    "lastName": "Smith",   
    "ssn": "123-45-6789",

Laugh all you want, script kiddies code systems up like this all the time. They never went to school for a software engineering degree. They never learned how to develop software properly. I’ve run into some software developers with a degree in art history or something just as applicable but they all feel qualified to grab a scripting language and bang out an idiot phone app without thinking about proper design.

If your data matters you never use a free-text transmission format, ever.

I could not tell you how many times I heard

Oh we’re secure, we use SSL. They couldn’t call it Secure Socket Layer if it wasn’t secure.

 Yeah, right. Encryption buys you time, nothing more, and it doesn’t buy you years. With the ever increasing computational power of desktop computers, combined with the GPU muscle found on low cost video cards, “would take a super computer N years to crack” is just a myth. Do a search on eBay for “GT 730”. That card has 384 CUDA core (GPU processors) and can generally be found for $50 or less.

Whoever is trying to crack your encryption based on a collection of a sniffed packets doesn’t have to try every combination. They don’t even have to be watching, it can all be automated if you are using one of these formats. As soon as one attempt returns something like:

<firstName>John</firstName>

or

"firstName" : "John"

a little regular expression test can stop the crunching because they’ve cracked your packet. It can then try what worked on this packet on the next one. If your encryption method doesn’t rotate seeds and algorithms between packets, that’s it, you’re screwed. Cracking the first packet gave them the entire file.

It’s time to start licensing software developers. They need to obtain a degree from a legitimate Software Engineering program then pass a licensing exam before they are allowed to write software which gets released into the wild. Just look at Facebook. You can find a more detailed saga here.