We are in the middle of security conference season. Therefore, it’s not entirely unexpected to see headlines from Black Hat and other conferences discussing “grave” security threats, and what they mean to our ability to protect our organizations and ourselves.
Arguably, the biggest headline of the past few weeks has been the purported discovery of Russian hackers having access to 1.2 billion usernames and passwords across hundreds of thousands of sites. This number has been subject to some scrutiny, as has the methodology and motivation of the individual who disclosed the data store. Indeed, the “1.2 billion records” number seems to be shrinking by the day.
So, is this a turning point as some media outlets seem to think? Honestly, many of us who live and breathe security every day see it a different way:
- This should not be a surprise to anyone. While large username and password breaches make the news, smaller, lesser-known leaks occur on a regular basis, so the collection of such a list would not be unusual.
- We have been suggesting for some time that this is the precise reason why protecting usernames and passwords is so critical – it just isn’t possible to know the scope of every breach, and what records are out there.
- We have NO idea how many of these records are encrypted or clear-text. The notification from the company responsible for disclosing the information did not specify what state the credentials were in.
In other words, I personally do not see this as a particularly earth-shattering event. That said, it is indeed a teachable moment. I think some useful lessons can be learned from this.
We all can use periodic reminders that protecting our usernames and passwords are important. Nearly everyone is guilty of having at least one weak username or password out there. I think many folks are starting to get the message that strong password selection is indeed important. That in and of itself reduces risk in many cases – longer, more complex passwords are typically more difficult to “crack” when stored in an encrypted format. Give your password the best chance of surviving a cracking attack by making it strong.
Aside from strength, this is an excellent opportunity to revisit the notion of unique per-site passwords. The goal is to have each site we log into have a unique password, which reduces the risk of a single password being compromised on a poorly-secured site and being usable on an otherwise secure one.
For example, if your password on a small, poorly-secured Internet vendor selling widgets is the same as your banking password, attackers may be able to compromise the weaker site, steal your credentials, then try them against various more important sites, including banks. Your banking password has been reduced to the lowest common security denominator.
Selecting unique per-site passwords may sound difficult, if not impossible. However, it’s actually quite easy. Password safes such as KeePass can allow you to locally store your passwords in an encrypted format with a master key, where you can retrieve them as-needed.
Such password stores can also automatically generate long, complex passwords on demand such that you don’t have to keep thinking them up. By using per-site passwords, you dramatically reduce the risk of a breach affecting large portions of your Internet life. Perpetrators may compromise one site, but they are going to have to work at breaking each one rather than just the weakest link.
As I mentioned, this “breach” probably isn’t news to many folks in the security industry. It does, however, remind us that this type of accumulation of data is occurring constantly, much of which is unseen. I respectfully submit that, if you wait for news like this to occur and are panicked into taking action, you may wish to reconsider how you are managing account security.
When I am browsing the Internet, buying items – yes, I do buy things online despite the risks– or even banking, I am aware that it is entirely possible someone has stolen the database powering the website. It’s an admittedly cynical view, but it helps me focus on protecting my identity. When I assume someone already has my data, I can consider a few things, all of which I would suggest can help make anyone more secure:
- If I assume data was stolen, how comfortable am I that the data was well-encrypted? A bank, I presume, will get that part right, but what about a small vendor? If I think there’s a reasonably good chance of poor encryption, I consider other methods of protecting myself.
- Do I need to periodically change my password? This is governed by my own comfort level with a site, how long the password is, when it was last changed and other factors. Regularly changing passwords may or may not have benefit, and it certainly isn’t any fun. But I want to be thinking about the risks of doing so or not doing so.
- Was this password used elsewhere? If so, I am likely to be more concerned, unless it is data I literally don’t care about.
- Does the leakage of data from this site provide an attacker with anything I am uncomfortable with? I am going to be far more concerned about sites with medical information about me than I will about what parts I happened to purchase for my project car in the garage. I will factor this into how complex I make a password, and how often it gets changed
- Can I use fake information? I do this a lot with online purchases where I am not having anything shipped. There’s no reason for a seller to know my true street address in many cases, so I don’t provide it. Someone at 123 Sesame Street may be getting a lot of junk mail, though…
If you are responsible for the security of an organization, similar trains of thought can be used to gauge your organization’s risk. How likely is it your data has or will be stolen? (Hint: it’s not a zero probability.) How well protected is the data? Do you need to force users to change their passwords? (Ask eBay about this one.)
The more informed we all are, the better we can be prepared. I am a strong advocate of routinely monitoring security feeds for news about breaches, trends, concerns and such, then applying those lessons to my personal and professional lives. Every user has the same ability – take just a few minutes every week and see what’s going on out there.
Decide if it has an impact on you, or if it changes your risk calculus. There will always be risks; the tricky part is determining which ones hold enough relevance for us to do something about them.
Do not wait for some headline to light a fire under you in terms of protecting your data, and that of your organization. Ongoing diligence is essential to reducing our risk in traversing what is becoming an increasingly hostile Internet environment.