Tag Archives: thirdcertainy

Are Passwords Finally Becoming Passé?

It looks like 2017 is continuing right where 2016 left off—with news of a massive data leak and thousands of passwords being exposed on the internet and cached by search engines.

This refers to the gaping security flaw recently discovered in the widely used Cloudflare service. It goes without saying that you should immediately change all your passwords, given how deeply embedded into the internet Cloudflare is. You also should seriously consider using a multifactor step-up capability to access your more sensitive websites and services.

Related article: Cloudflare bug spills passwords in plaintext

Your identity has become a “currency,” and criminals are able to sell it like other data. Unfortunately, many organizations are dragging their feet in adopting more advanced and secure methods for allowing customers to connect with their services. For the near term at least, passwords are here and will be here for the next few years.

See also: The 7 Keys to Strong Passwords  

In terms of security and availability, passwords are the lowest common denominator. They are cheap to deploy, users understand how to interact with them, and the risks associated with the username and password paradigm—while not fully understood—are accepted. But, there are three key factors converging that will replace these username and passwords in the future.

Many more savvy about security

First, policy- and decision-makers are becoming more sophisticated in their understanding of the risks and security profile that simple reliance on passwords presents. Recent announcements from Yahoo CEO Marissa Mayer and General Counsel Ronald Bell should be a bellwether in this regard. Following YAYB (Yet Another Yahoo Breach), Bell resigned without severance pay, and Mayer lost her annual cash bonus and equity award—which some reports estimate to be worth upward of $14 million.

Governmental regulations—such as the revised payment services directive (PSD2) in Europe—are requiring more stringent authentication requirements for financial institutions while the National Institute of Standards and Technology in the U.S. no longer recommends one-time passwords (OTPs) being delivered via SMS in its Digital Authentication Guideline. Password reliance and its associated pain is a global problem.

Advances in biometrics, other alternatives

Second, viable alternatives to the password are gaining widespread acceptance. Since the release of the fingerprint scanner on the Apple iPhone 5S, biometrics have exploded as an alternative to PINs and passwords.

Related article: China embraces FIDO Alliance standards

The FIDO Alliance has grown as an industrywide organization popularizing a set of specifications that increase privacy, increase security and increase usability while at the same time allowing the multitude of players from the authentication marketplace to ensure interoperability. Adoption of such alternatives is moving along at a solid clip with millions of users worldwide already using this technology.

Consumers demand more

Finally, users are fed up. They have learned of breach after breach after breach. The added features that complicate a password are not actually making it more secure, but they do make passwords significantly more difficult to input on the small touchscreens that are becoming our primary computing devices.

As these three forces continue to converge, passwords will be replaced in greater and greater numbers.

As a society, we need to overcome password pain and look to the future. Using a fingerprint or other biometric authentication measure helps users look beyond the failed username and password infrastructure. In time, the public will understand how flawed traditional password usage is. It’s both inconvenient and insecure.

See also: How to Make Smart Devices More Secure  

In 2017, we will see more companies erring on the side of security, removing passwords and implementing modern authentication strategies that eliminate the opportunity for large-scale password leaks and theft.

This post originally appeared on ThirdCertainty. It was written by Phil Dunkelberger. 

Cybersecurity: Firms Are Just Sloppy

Two more stunning disclosures from self-styled internet watchdog Chris Vickery underscore how organizations continue to routinely expose sensitive data in the cloud, risking dire consequences.

“My findings clearly demonstrate that data breaches happen more often than the general public realizes, and companies are quick to deny and cover up these issues,” Vickery says.

Vickery has revealed how Habitat for Humanity of Michigan had been making use of two backup virtual hard drives without taking steps to block public access to those drives, which contained “lots of background/credit checks for volunteers and applicants, as well as thousands of Social Security numbers,” he says. The nonprofit organization helps build and renovate affordable housing for needy families.

Leaked files show grim reality

In mid-October, Vickery broke news at IDT911’s Privacy Xchange Forum 2016 describing how a California law firm similarly neglected to restrict access to an internet cloud storage location where it kept copies of case files. (Note: IDT911 sponsors ThirdCertainty.) The legal documents Vickery located included notes and surveillance footage that appeared to show guards at a police holding cell in La Habra, CA, failing to take any action as 49-year-old prisoner Daniel Oppenheimer hanged himself.

See also: Why Exactly Does Big Data Matter?  

The notes of the lawyer — whose firm specialized in defending alleged police misconduct — revealed that he looked at the surveillance video and saw “shadows” of a person twice walking past Oppenheimer’s cell during the strangulation, Vickery says. The shadows weren’t noted, however, in the district attorney’s report investigating any wrongdoing by police in Oppenheimer’s death, and Vickery questions whether the person walking past the cell could have stopped the suicide.

Oppenheimer strangled himself with a telephone cord and the zipper of his jail-issued jumpsuit on Jan. 2, 2015. Earlier that day, Oppenheimer was arrested and charged with attempting to strangle his wife at their La Habra home.

Vickery says he contacted the city lawyer’s firm and an attorney representing Oppenheimer’s daughter who filed a wrongful-death lawsuit against the city. The firm wanted Vickery to delete what he found on the internet, and the attorney representing Oppenheimer’s daughter said he would subpoena what was discovered, Vickery says.

Vickery hopes some official will be appointed to review what happened at the holding cell. “It’s important to see that justice was done,” he says.

Helping patch problems

Who is Chris Vickery, and what motivates him? Vickery is a longtime IT staffer. His recently left his full-time position at an Austin, TX, law firm, on good terms, to move to California. Because of his profession, Vickery possessed working knowledge of tools, such as Amazon S3 buckets and Rsync servers, which companies and agencies increasingly use to store copies of business documents.

He also was familiar with Shodan, a search engine that finds and indexes computing devices connected to the internet, such as smartphones, webcams, power plant controls, routers and servers, including servers that lack minimum safeguards, such as a password.

Working in his free time from his home in Austin and using his personal computer, Vickery began hunting for unprotected data as sort of a hobby. He realized, of course, that anyone else, including those with criminal intent, could be in the hunt for the same things he was looking for. So he adopted a personal policy of notifying organizations of any major exposures he found, giving them the opportunity to rectify the oversight.

“It feels good to find a million log-ins and know that I helped this company shut this down, and these million people aren’t going to have to worry their email address is being stolen, or their Social Security number is getting out there or something else bad is happening to them.” Vickery says. “I can imagine my grandmother getting caught up in something like this. And if I can prevent something happening to somebody else’s grandmother, it’s a nice thing to do.”

In January, Vickery announced a partnership with MacKeeper — an international IT investment and development company — to establish “the best security and privacy practices.” Vickery assists with security auditing, discovers potential cyber threats, provides solutions for future vulnerabilities and writes a blog about security and data breaches.

Locking down data not a priority

In an environment where companies amass mountains of data, while also looking to reduce data storage and handling expenses, poor security practices have become the rule, Vickery says.

Typically, an organization might have its live production database up and running in real time but might also need to have a backup version available for the IT staff to tinker with — troubleshooting, testing new techniques and the like.

“The developer team takes a copy of the live production data and puts it in a development server,” Vickery says. “But for convenience sake, or because of a mistake, they’ll forget or just simply not put a password on it.”

Vickery emphasizes that he is not a “hacker,” in any technical sense. He is simply conducting internet searches using free tools anyone can learn to master and then using human intellect to connect the dots.

See also: A Renaissance, or Just Upheaval?  

“I’ll find this staging server or development server, and because it has a full copy of the live production data in it, it might as well be the live production database; it’s got all the data in it,” he says.

Other unprotected information Vickery has found on the internet includes registration information of voters in the U.S. and Mexico, Social Security numbers for millions of people and at least 10 law firms’ client files.

Vickery estimates that he spends at least 30 hours per week “crawling around the far corners of the internet looking for unsecured data troves.” He concludes that companies’ sloppiness about data protection can be shortsighted.

“I think that companies seem to be so careless because less security equals more profit,” he says. “Worrying about good security requires hiring the right people and being willing to not only pay those people, but also to allocate budget funds for their software and appliances.”

Security, Vickery says, “also slows down the research and development process. Many companies appear unwilling to give up the first-to-market advantage just for the sake of security.”

This article original appeared on ThirdCertainty. ThirdCertainty’s Gary Stoller contributed to this story.

5 Things to Know About ‘Hacktivism’

In July 2015, a hacker who goes by the name Phineas Fisher breached an Italian technology company, Hacking Team, that, ironically, sells spying and hacking software tools.

Fisher exfiltrated more than 400 gigabytes from the company and declared his motive was to stop its “abuses against human rights.”

“That’s the beauty and asymmetry of hacking: With 100 hours of work, one person can undo years of work by a multimillion-dollar company,” Fisher wrote online. “Hacking gives the underdog a chance to fight and win.”

Hacktivism, or the act of hacking into others’ computer networks to promote one’s political or other agenda, has been around as long as the internet. But the technology that’s available is easier and cheaper than ever, lowering the barrier of entry even for those with little experience.

“You don’t have to be an expert to have access and to cause damage to people and their websites,” says Rick Holland, vice president of strategy at Digital Shadows, which has tools to search the internet and the Dark Web to compile compromised information about their clients.

Anonymous, perhaps the most notorious hacking group, largely markets itself as hacktivists. But with the emergence of social media as a loud megaphone that also enables anonymity, other lesser-known hacktivists have become increasingly emboldened in heralding their cause and calling for others to join.

See also: 2 Novel Defenses to Hacking of Browsers  

Here are five things every company should grasp about hacktivism:

• Hacktivists are true believers. They are individuals who often belong to a hacker network group online that shares their values and ideology. They can act alone or be prompted by a broader hacktivist campaign, such as OpIcarus or Ghost Squad Hackers. Hacktivists are motivated by branding their agenda — Operation X — and distinguish themselves from cyber criminals who merely pursue financial gains.

But “there’s a lot of blurring of the lines between criminals, espionage actors and hacktivists,” Holland says. “It’s oftentimes difficult to tell who it is. You see some of the cybercriminal organizations that might moonlight take contracts.”

• Controversy can make you a target. Controversial individuals, companies and governmental and nongovernmental organizations are often targets. The list of past victims includes autocratic governments, politicians, agrochemical manufacturers, oil companies, pharmaceutical companies, genetically modified food makers, religious groups, social media websites and others. They generally target large organizations.

Small- to medium-size businesses typically are not on their radar unless they operate in controversial industries. A small supplier to GMO manufacturers, for example, could potentially be a target. “Hacktivists can come after you because of that relationship in the supply chain,” Holland says.

• Attacks can be widespread. Data on the frequency of attacks are hard to come by. But one group, Ghost Squad Hackers, plans to target banks, and their activity offers a glimpse of how quickly plans can proliferate. “We’ve seen 70 different organizations that they’ve announced are going to be targets,” Holland says.

• Attacks can take varied forms. Hackers can compromise the target’s computer systems in all the ways that are available to cyber criminals. They can set up a phishing domain that looks like the target’s domain to acquire sensitive information, such as passwords and company data. Using Twitter (or other social media channels), they may coordinate a distributed-denial-of-service attack on a web page to take it down.

See also: Hacking the Human: Social Engineering  

“We may find this out, and then we can tell the company, ‘Look we’re seeing a campaign against one of your executives,’” Holland says. “We give them an idea of a risk to their staff that they didn’t know about.”

• The best defense: Use security best practices, keep a low profile. All the usual cybersecurity steps should be established, such as virtual private networks, multifactor authentication protocol, firewalls and tools to guard against DDoS attacks. Companies should undergo a “threat modeling exercise” to determine how they’d respond in the event of an attack, Holland says. Knowing who to call for help is important.

Organizations that can afford cloud-based services should consider them, as a company can move its traffic up to the cloud if it’s attacked. “If you’re a big bank, you can afford those kinds of services. But if you’re a smaller-tier company, (you should ask) ‘Do I need to spend that kind of money?’ That’s a difficult question,” Holland says.

According to Holland, executives should be trained by the PR staff or consultants to be more careful when speaking publicly and not say things that could incite hacktivists. Suppliers also should be alerted about the possible dangers.

“A lot of hacktivists are typically younger, idealistic people who are getting attached to these causes. So there’s no shortage of that,” he says. “This will never end.”

More stories related to hactivism:
Cybersecurity a concern for candidates on 2016 campaign trail
Despite precautions, DDoS attacks becoming more dire, damaging
Chaos theory takes root in aftermath of Sony Pictures hack

This post first appeared on ThirdCertainty. It was written by Roger Yu.