First Target, then Neiman Marcus and now Kickstarter. These three organizations are part of a growing scare among shoppers and users: hacking. The latest breakthrough occurred Feb. 12 when law officials discovered that Kickstarter, a crowd funding organization designed for users to sponsor personal creative projects, was accessed without authority.
The hackers obtained user names, email addresses, phone numbers and encrypted passwords. Credit card information is not stored in Kickstarter, so that remained secure. Kickstarter notified their users Feb. 16 after the search was “thoroughly investigated,” according to a blog post from the company, and was resolved after it urged users to change their passwords. The company uses multiple methods to encrypt passwords.
According to its blog, “older passwords were uniquely salted and digested with Secure Hash Algorithm (SHA-1) multiple times. More recent passwords are hashed with bcrypt.” SHA is used to protect passwords, but actual passwords are never used to authenticate. Instead, hashed passwords are compared to determine if people are who they claim to be. Since hashes are nonreversible, passwords cannot be determined from its hashed version, according to College of Computing and Digital media professor Jacob Furst.
There are four different SHA functions (SHA 0-3), and SHA-1 is the most widely used. However, it’s the least secure and particularly susceptible to attacks. This is due to people knowing how to find collisions – a vulnerability of hash functions – faster than by brute-force searching.
“Not much faster, but if SHA-1 has a weakness, it will only get weaker as machines get faster and attacks get better,” Furst said. Because of these vulnerabilities, Kickstarter’s decision to advise users to change their passwords was the best possible action. SHA-1 is still used because it’s too big of a change to make right now, and the dangers are not yet severe enough.
“It will happen, but it will take time,” Furst said. As far as Kickstarter is concerned, Furst believes that it was hacked through a possible SQL injection, which Microsoft defines as “an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution.”
“This is the most frustrating part about security; too often, the details are hidden and we can’t know exactly what happened, or how to fix it,” Furst said.
Regardless of what happened, Kickstarter took quick and appropriate actions to halt the hacking. They contained the attack by deactivating rogue accounts and removing sensitive files. They then tried to find out what happened by looking at log files to see the activity that occurred before and after the attack.
Lastly, they recovered by restoring from backup, alerted users to change their passwords and implemented new security procedures. “Kickstarter seems to be doing the right things, though we’ll never know,” Furst said. Numerous tech companies including computer security companies have been hacked.
Therefore, Kickstarter is not alone. “I wouldn’t come down too hard on Kickstarter,” Furst said. “It happens, like tornadoes and floods. You get hit, you pick up, carry on and try to be better prepared for when the next attack comes.”