Earlier this month, the email addresses and passwords of more than 400,000 Yahoo users were compromised as the result of a security breach. According to several tech news websites, a group of hackers who call themselves the “D33D Company” claimed responsibility for the attack and said that they hoped the breach would serve as a “wake up call” for those in charge of security at the company.
Yahoo isn’t the only company that has been targeted by hackers in recent months. In June, the passwords of more than 6.5 million LinkedIn users were reportedly compromised following a breach and just last week, U.S. semiconductor manufacturer Nvidia announced that up to 400,000 of its forum users may have had their encrypted passwords stolen.
Though the number of network breaches at organizations around the globe seems to be never ending, there are things that companies can do to better protect the online information of their users. Mark Knight, director of product management at data protection solutions provider Thales e-Security, recently spoke with SIW about best practices for safeguarding passwords.
SIW: With all of the password breaches we’ve seen recently, what is it going to take before we see better password protection measures by companies?
Knight: I think the techniques are available today. If you look at the environment being hacked today, we’re seeing mostly social media companies being attacked and if you think about some of the services we’ve been using online for over a decade, things like online banking, those systems have proven to be secure over that period of time. It’s quite rare to read about a major banking security breach, so I think it’s fair to say the technology exists and the expertise exists, but it’s currently being used in areas like financial services and I think the change the industry has got really now is to apply those techniques to other industries, particularly social media but anyone that’s hosting any sort of online service these days. Whether it’s government, whether it’s private, whether it’s retail or whether it’s social media, I think the challenge has been that the economic imperatives for a lot of these organizations has been to get subscriber numbers to find a way to monetize their customer bases. Perhaps it’s evident that some of these companies that really started as start-ups and that now have grown much, much bigger than they even anticipated in the early days, really security wasn’t at the forefront when they architected their solutions. I guess, ultimately, it’s a change of mindset for these companies to recognize that their reputation is at risk and maybe there is a legislative element that legislation will come along and impose regulations on some of these organizations if they don’t put a stop to these breaches.
SIW: Who holds the most blame for these password breaches? Are the online service providers at fault for not having better security measures in place or do you also put some of the onus on users for creating passwords that could be easily deciphered?
Knight: I don’t think the users are really in a position to know how their information is going to be protected. At the end of the day, as a user of an online service, you’re aren’t in a position, you don’t have the expertise and you don’t have the information to make a determination of whether you’re secure, so you have to rely on brand and of course that’s why ultimately brand reputation is at risk. Obviously, for start-ups, they don’t always have a brand, but some of these more established companies, such as Yahoo, have acquired other businesses and you may trust the Yahoo brand. You don’t necessarily understand all of the other businesses they may have acquired and some of the technologies they may have inherited that may not be as secure as things developed in-house. I think as a consumer you’re not in a strong position and frankly, it’s very difficult for any consumer to use a different passphrase for every service they use. Obviously, the best practice is that you don’t keep using and repeating the same passphrase, but I can only imagine that would be a small number people that never break that rule. I guess, at the end of the day, a lot of these services have been built by organizations that were looking to grow as quickly as they could with a focus on functionality over security and I suspect those were compromises that were perhaps made potentially years ago and the environment is made up in many cases of legacy code, which just hasn’t been updated to take into account the current threat profile that the whole industry is facing.
SIW: How can techniques like password hashing be utilized to protect online data?
Knight: Hashing is the term that is used to describe the process of taking something like a password and it’s meant to be a one-way operation, taking that password and converting it through a mathematical operation into another series of bytes or data that is derived from that password. And if I were to repeatedly perform that mathematical operation on the password every time I do it – so if my password is “Fred” and I call a hash function with the data “Fred,” I will get a string of unique characters, which every time I call that hash function that string of unique characters will be the same so it’s a repeatable operation. Maybe I hash the word “Fred” and I end up with the random number 1234. Now the point of a hash is every time I hash “Fred” I would end up with the same number 1234, but it’s a one-way operation, so if I then as an attacker obtain that data 1234, there is no way for me to work backwards to the password and that’s the goal of the hash. It’s a one-way fingerprint to allow you to convert a password into a unique representation of that password that is less sensitive from a security perspective. The idea is, the user needs to remember their password, but as a service provider I don’t want to have a copy of their password. All I want to store is a copy of the hashed password… and every time the user logs on, what I do is I repeat the process of hashing the password they supplied and I then compare the hash I’ve just generated with the one I’ve stored in my database. Essentially, it gives you the situation where, as a service provider, I’m not having to worry quite so much about an attacker stealing that hash because if an attacker is able to break into that web service and somehow break into the database and steal that hash, then really that value is of less use to an attacker.
SIW: What’s the difference between password hashing and password encryption?
Knight: The difference between hacking and encryption is hashing is a one-way operation. So, I can hash “Fred” to 1234. If I have 1234 I cannot get back to “Fred,” but all I can do is repeat the hashing operation and see if the new hash I get matches the one I previously stored. With encryption it’s a reversible operation. So, typically you’re using it to encrypt data that you need to be able to recover and get back to the original plain text data. The difference is as simple as that. Hashing is used particularly for passwords because as a service provider you never need to decrypt or get back to the password. You can rely on the fact that the user will present that password every time they log-in to your website and all you have to do is see if that password matches. Encryption is far more useful for things like email addresses. You want to store email address, maybe you want to protect that data so that it’s harder for an attacker to steal it, but you need a reversible operation because you need to be able to get back to the email address.
SIW: Despite some of the highly-publicized data breaches that we’ve seen in recent weeks, what do you see as some of the bigger threats looking in cyberspace?
Knight: For me, one of the big threats is for every attack that’s discovered and published, how many attacks have gone unnoticed? We saw some very high profile breaches last year, such as the DigiNotar breach of a Dutch certificate authority where actually it took weeks or months for that attack to be publicized and the organization to discover what happened.
SIW: How do you combat groups such as “Anonymous” whose members, for a variety of reasons, have dedicated themselves to breaking into and exposing corporate, as well as government information?
Knight: It’s an arms race at the end of the day. Whatever the IT community does, the attackers are always looking for new techniques to counter that. I think the most important thing is that we learn from the breaches. It would appear from the recent breaches that these aren’t isolated incidents. There’s a successful attack and the same or other attackers apply similar techniques against other service providers. You start to see this sort of epidemic of very similar breaches and I think the most important thing is firstly, that we learn from the breaches. Whenever we see a breach it’s always easy to blame the organization that’s lost data and I think it’s very important, rather than casting blame, we actually say “wait a minute, what can we as an information security community learn from this breach and how can we use this to improve security and make sure that attack, which is now well understood, can’t easily be repeated.” The second thing is to be more proactive in terms of preventing attacks, not waiting until you’ve been breached and not to assume that it’s never going to happen to me. Let’s go back proactively and review the security measures, the security approach I’ve taken and the threats that I consider to be realistic. That’s an expensive process, but if organizations start to do that, ultimately it’s going to make it much, much harder.