This week LastPass, a popular password manager which is often invoked in discussions around securing multiple passwords, announced it had detected suspicious activity on their network, saying: "We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."
While many users consider their passwords completely secure with products like this, the specifics of the data the would-be hackers may have accessed remind us that "Quis custodiet ipsos custodes?" is a relevant question and important concept when considering security. Fortunately, LastPass has their guards in the right place at the right time. For a Q and A with their users, click here.
Security questions (sometimes referred to as "challenge" or "secret" questions) are used widely as a security enhancement for online account access. We know that these questions are vulnerable to social engineering or being bypassed when hackers simply guess the answers, but a new study from Google examines exactly how and where these questions create issues. For example, if you have ever forgotten the answer to a hard question (even one that you set up yourself), you're in good company: This happens to 40% of users who choose this strategy. Click here for more interesting data points from the study. The data show why security question are less desirable for both users and organizations than transparent methods of strong authentication that don't share these vulnerabilities.
On the anniversary of Heartbleed, and the discussions it raised around security vulnerabilities and strategies for all kinds of effected organizations, Fortune reports that 74% of Forbes Global 2000 companies are still vulnerable, having put off, or ignored the relatively simple and well documented fix for this vulnerability. Citing a report by Venafi, a security firm that recently released this report, Fortune's Robert Hackett outlines the steps required to fix the vulnerability and suggests that while many organizations released statements saying they would fix the vulnerability, many have not.
Regardless of the complexity (or lack thereof) of the performing the fix, organizations would have to prioritize it, and promote it through what can be complex production release processes while dedicating resources that are stretched thin more often than not. If organizations remain reactionary, instead of educating their teams and planning for the inevitable need to respond to new reports of vulnerabilities and to keep pace with best practices in security, this pattern will continue, and organizations and their users will remain at risk.
Last week Google released Password Alert, a Chrome extension intended to help users avoid phishing attacks and keep passwords safe by preventing users from inputting their Google password on other sites and from reusing Google passwords on non-Google sites. Whenever a Google password is input into a website, Password Alert shows a message saying "Your Gmail password was just exposed to a non-Gmail page," and tells users to change their Gmail password immediately. While many users would likely tell you they know the difference between a phishing site and the real thing, phishing continues to be an issue and some of the most used and trafficked sites and apps are still targets. Says Andy Greenberg for Slate/Wired: "Phishing remains one of the most serious and intractable problems in information security, and is often the initial breach point for hacker schemes ranging from mass credit card harvesting to sophisticated, state-sponsored targeted attacks. Google estimates that as many as 45 percent of some well-crafted phishing emails can successfully trick users, and that 2 percent of all Gmail messages it sees are phishing attempts. A Verizon report published earlier this month found that a phishing campaign launched against a target corporation or agency can find a gullible user and gain an initial point of compromise within as little as 80 seconds."
It took just a day for a hack to appear on YouTube, showing how a site can get around this tool by simply inserting a few lines of code. Google has since issued a patch.
It isn't as easy as a Chrome add on to instill in users the kind of wariness and discipline that will keep them safe online. As this blog has previously discussed, increased awareness and education are needed as opposed to tools that blunt a user's ability to compromise themselves unknowingly. Tools will always be vulnerable, and the best weapon more likely to be awareness of the dangers facing users.
Jeremy Epstien, a senior computer scientist for SRI, recently published an article on Slate.com discussing the abysmal security features of a touch screen voting device used by "dozens of local governments" in Virginia. While these machines have now been decommissioned, the article represents one instance of what is most likely a very widespread problem - It's probably a lot easier to hack into many of the machines we use day to day than we think, or believe, it is. In this case, a report by the Virginia Information Technologies Agency ("VITA") revealed:
- "The encryption key for the wireless connection is “abcde,” and that key is unchangeable.
- The system hasn’t been patched since 2004.
- The administrator password seems to be hardwired to “admin.” Because the system has a weak set of controls, it would be easy for someone to guess and then enter in the password.
- The database is a very obsolete version of Microsoft Access and uses a very weak encryption key (“shoup”). There are no controls on changing the database. That means that someone could copy the voting database to a separate machine (which is easy to do given the weaknesses described above), edit the votes, and put it back. There are no controls to detect that the tampering occurred.
- The USB ports and other physical connections are only marginally physically protected from tampering. Furthermore, there are no protections once you plug something into one of these ports. What this means is that someone with even a few minutes unsupervised with one of the machines could doubtless replace the software, modify results, etc. This is by far the hardest of the attacks that VITA identified, so it’s almost irrelevant, given how severe the other problems are."
Again, this particular machine has now been decommissioned, but it's very hard to believe these types of issues don't exist elsewhere, making hacking critical functions (voting in this case), something that doesn't take a high degree of skill, or even planning. What would one need to do to hack the system described here? From the article:
- "Take your laptop to a polling place and sit outside in the parking lot.
- Use a free sniffer to capture the traffic, and use that to figure out the wireless connection password, which was “abcde.”
- Connect to the voting machine over Wi-Fi.
- If asked for a password, the administrator password is “admin.”
- Download the Microsoft Access database using Windows Explorer.
- Use a free tool to extract the hardwired key (“shoup”).
- Use Microsoft Access to add, delete, or change any of the votes in the database.
- Upload the modified copy of the Microsoft Access database back to the voting machine.
- Wait for the election results to be published."
It is important to consider protecting our systems and the technologies we use every day an take for granted at their most basic levels. It can seem like a daunting task to protect against some of the more sophisticated attacks that have recently made the news, but first we should look to our basic systems, and make sure none of our passwords are still "Admin".
Cylance, a firm that has been working on a security vulnerability in Windows for the past month and a half, has made public the details of an 18 year old security hole that makes users' usernames and passwords vulnerable when redirected from an HTTP or HTTPS connection to a malicious SMB server. "Cylance found no fewer than four Windows API functions that can be used to redirect a user from an HTTP or HTTPS connection to a malicious SMB server. The forced authentication makes it relatively easy to get hold of usernames and passwords, even if they are held in encrypted form. As well as Windows itself, other programs affected by the problem include AVG Free, Internet Explorer, Windows Media Player, BitDefender Free, TeamViewer, and Github for Windows" says Mark Wilson for betanews.com, in a post summarizing the findings.
Microsoft will likely release a patch for this, and Wilson notes at least one available workaround at the close of his post, but this news will add to the growing urgency around using more than a username and password to authenticate. For those who use the same credentials across multiple sites, this should also serve as a wake up call - If all you/your users use to authenticate is a username and password, and/or you use the same credentials to access multiple sites, it is time to reconsider your position, and begin using second/multi-factor authentication to verify that users are who they say they are.
"Can we have expiring data based on time and need? Can an employee revoke access given to his company for his/her personal data once he leaves the company? Can the keys to the data be handed to the employee and not the employer?" These questions, posed by Deepak Jeevankumar in TechCrunch this week draw attention to an important and often under-explored area of the discussion around security: Trust. Trusted entities (sites, providers, merchants...) have ability not just to draw customers and users (many of whom may be fleeing compromised competitors, but to educate the promote the secure practices that will make our online lives safer.
Threat sharing networks, which provide an ongoing view into threats and security of sites we may rely on every day, is one technology that can help us get there. In addition, companies and organizations can take steps to establish and demonstrate trust while still maintaining the policies that protect them - making it a "2 way street", which in turn will build trust.
Mr. Jeevankumar argues that shifting our way of thinking to focus more on trust, to innovate around it, and to focus on how it can change the dynamic and frustrating cycle we find ourselves in, will help us to have safer lives online.
Is 2 factor authentication enough?
The value of a second factor when it comes to authentication has been widely discussed, here and across the media. A second factor when authenticating gives the user a second level of protection, which might be enough to stop many of the basic hacks sites and organizations have fallen victim to, where all that was needed to access a system was a valid set of user credentials.
A chat room service called Slack got hacked this week, and in response, added 2 factor authentication. But that's not all they did - they also added a "password kill switch feature" which allows an administrator to kick out groups of users and require a password reset. Balancing user experience and security has also been discussed at length here, but Slack adding this feature suggests that security isn't always losing to ease of use anymore. The difference here is that an administrator would use this feature when they suspect that some thing might be amiss, showing that a heightened awareness of security and potential security risks is part of the response. This is different some simply adding complexity to password requirements or even by requiring a second factor, which effects all users. Slack's decision to add security that is responsive is a step beyond requiring 2 factor, in the right direction