14 DAY TRIAL // The United States Computer Emergency Readiness Team (US-CERT) has issued an alert about the use of Domain Keys Identified Mail (DKIM) verifiers that can be successfully leveraged by cybercriminals to spoof emails.
It all started with an email sent by a Google recruiter to mathematician Zachary Harris. He thought that it was a fake email, so he started analyzing it in hopes of uncovering that it was sent by a scammer.
What he found was the element that triggered the US-CERT’s alert. Google was actually using a weak cryptographic key for the DKIM – a system which allows organizations to take responsibility for the emails they send out and certify to recipients that the messages are legitimate.
Harris told Wired that Google was actually using 512-bit keys, despite the fact that the standard requires the use of keys that are at least 1024 bits in length.
Google addressed the issue after the expert sent an email to Google founders Larry Page and Sergey Brin. To prove his point, he sent each of them an email that appeared to be originating from the other founder.
However, during his research, Harris found that Google wasn’t the only one not respecting the standard. It turns out that Yahoo!, Amazon, eBay, Dell, Apple, Twitter, and even PayPal, HSBC and US Bank fail to use strong DKIM keys.
PayPal, US Bank and HSBC are utilizing 768-bit keys that are stronger than the 512-bit keys, but they can still be cracked. Considering that these particular companies are a tempting target for cybercriminals, Harris called the practice “not okay.”
US-CERT is advising organizations to replace all RSA signing keys that have less than 1024 bits in length and ensure that their systems do not allow testing mode on production servers, since some keys that don’t meet the requirements have been found in production environments.
“It’s no secret that organizations are relying on weak encryption keys and algorithms to secure mission-critical systems and data, and that these keys represent open doors to hackers and cyber criminals,” Jeff Hudson, CEO of Venafi, told Softpedia in an email.
“What’s unfathomable is that hyper security-conscious organizations like Google may still leverage weak keys for authentication, especially in the wake of Microsoft’s Flame-malware compromise, where Microsoft acknowledged that weak encryption resulted in major breaches and malware infections,” he added.
“Unfortunately, antiquated and manual encryption management processes are still in use today, processes that expose many of the world’s largest companies to significant security and operational risks. Until organizations act to monitor their encryption deployments and remove weak keys and certificates, these types of breaches will continue to make headlines.”
Updated with Jeff Hudson's statement.