Consumer Response to Data Breach: Let's Sue!

Posted on November 2, 2011 by Colin J. Zick

Interesting findings in the Unisys Security Index for the United States regarding what Americans say they would do in the event that they learned of a security breach suffered by an
organization with which they were dealing:

  • Change passwords on that organization’s website and other sites (87%)
  • Stop dealing with that organization entirely (76%)
  • Publicly expose the issue (65%)
  • Take legal action (53%)
  • Continue dealing with the organization but not online (31%) 

Thanks to Ted Julian of Co3 Systems for bringing this report to my attention.

Tags: , , , ,

Most Recent Sony Breach Illustrates the Cascading Effect of Data Breaches

Posted on October 14, 2011 by Colin J. Zick

 

By Michael V. Dowd

It was revealed recently that Sony’s on-line services were the subject of another significant attack. This incident, however, did not exploit a vulnerability in Sony’s security infrastructure so much as it highlighted the cascading effect of data breaches.

Rather than try to scale any fences or jimmy any windows, this attack used account holders’ own keys to open the front door. According to a statement by Sony, the attackers tested a “massive set” of log-in credentials, consisting of pairs of user IDs and passwords, against accounts on three of its networks. Even though the “overwhelming majority” of the log-in attempts failed, they successfully breached about 93,000 user accounts. This indicates that the attackers used stolen log-in credentials, and did not resort to brute force or dictionary attacks. 

How did the attackers obtain this trove of log-in information? Sony says it is “likely” they were stolen from elsewhere and not from its own networks, based on the low success rate. This may well be true, given the numerous incidents reported of late, some of which gave rise to our post referring to 2011 as The Year of the Breach

If that scenario holds, it highlights the secondary effects of data breaches, and the relationship among user accounts on different on-line services. It has long been known that individuals often reuse the same username and/or password across multiple on-line services. As a result, if any one of those services suffers a breach that exposes its log-in information, corresponding accounts on the other services become open to the attackers. It is very much a “weakest link” situation.

This risk was also raised in the immediate aftermath of the data breaches at Sony this past Spring. The company initially reported the loss of unencrypted account passwords, which could have had the same cascading effect on its users’ other accounts. Sony later stated that the passwords were in fact hashed. As we described at the time, “hashing” differs from “encryption,” but storing passwords in a hashed form can be an effective way to keep an attacker from seeing or using the plain-text passwords of account holders. Password hashing is a known security technique that apparently was not in place at the “weak link” among the on-line services shared by those 93,000 users.

Tags: , , , , , , , , , , , , , , ,

Sony Breach Update: The Scope Expands, While Consumers Wait for Answers About How and Why It Happened

Posted on May 8, 2011 by Colin J. Zick

By Michael V. Dowd

The scope of the Sony data breach is growing, but the public focus continues to be on Sony’s actions following the breach, rather than on steps to prevent or mitigate events like these in the first place. As we noted earlier, this focus emphasizes a de facto burden-shifting, in which consumers bear the risk of using on-line or other services, and also are left to face the consequences of any resulting identity theft.

Sony last week announced that 77 million PlayStation and Qriocity accounts had been accessed by hackers in mid-April. This week, Sony discovered that an additional 24.7 million Sony Online Entertainment (SOE) accounts were compromised during the same timeframe. In the SOE breach, Sony confirmed that the compromised information included the bank account, credit card and debit card numbers of thousands of non-U.S. account holders.

It is now up to account holders to deal with the consequences. Sony’s response to the SOE breach has been to engage a third-party email distributor to send a Customer Service Notification. The notice places the onus on account holders to look out for email and other scams, to obtain credit reports, to consider contacting U.S. credit bureaus in order to place a “fraud alert” on their credit file, and to contact various federal and state agencies for information about preventing identity theft. This repeats Sony’s previous advice to its PlayStation and Qriocity users.

Meanwhile, the House of Representatives is seeking information from Sony about the situation. The Subcommittee on Commerce, Manufacturing, and Trade sent a letter to Sony with thirteen questions about the data breach. The letter primarily focuses on post-breach information, such as Sony’s delay in first notifying customers and authorities, and Sony’s investigation of the breach.

The public is still waiting for information about how consumer data was (or was not) protected by Sony. In its notice to SOE users, Sony stated that it does not believe that its main credit card database has been compromised because it is in a “completely separate and secured environment.” This begs the question: in what sort of “environment” was the remainder of the information (name, mail and email addresses, birthdate, gender, phone number, login name, etc.) stored? The notice also states that there is an “outdated database from 2007” that contains the bank account and credit and debit card numbers that were compromised.

Among all of the bad news, there was one encouraging development. Sony originally reported that the PlayStation and Qriocity breach include account passwords, which were not encrypted. This was particularly concerning, as on-line users may use the same password for different accounts, including those for on-line banking or shopping. In a blog post this week, Sony clarified that the account passwords, while not encrypted, were in fact “hashed.” Although different than “encryption,” hashing can be a reliable method of protecting password information. When a user first selects a password, the password is transformed by a function into a coded, or hashed, version of the password. Later, when the user attempts to log-on, the newly entered password is transformed by the same hashing function. The web site verifies that the result matches the coded version already stored on its server. In this way, the web site never needs to store the actual password. In addition, hashing is intended to be a one-way process, meaning that while hashing functions can transform a password into a coded version, they cannot transform the coded version back into its original form. This suggests that the hackers should not be able to determine users’ actual passwords, even if they have the hashed versions.

There has been much public discussion about what Sony knew, when it knew, and how soon it went public. Real progress will be made when measures to prevent such data losses are strengthened. Perhaps lessons learned from these events will help in those efforts.

Timeline:

April 16 to 19 – Hackers access PlayStation and Qriocity and Sony Online Entertainment account data

April 20 – Sony takes PlayStation and Qriocity services off-line

April 26 – Sony announces the hacking of 77 million PlayStation and Qriocity accounts

May 2 – Sony announces that 24.6 million Sony Online Entertainment accounts were also breached
Tags: , , , , , , , , ,

You Call That a Password? Passwords Used to Protect Personal Health Information in Clinical Trials Are Cracked More Than 90% of the Time

Posted on February 23, 2011 by Colin J. Zick

In a recent article in the Journal of Medical Internet Research, the strength of passwords in clinical trials was analyzed. In all cases that were examined, "the recovered passwords were poorly constructed, with names of local locations (e.g., “ottawa”), names of animals (e.g., “cobra”), car brands (e.g., “nissan”), and common number sequences (e.g., “123”)." 

This result comes as no real surprise.  These conclusions build on prior studies which have repeatedly shown that password strength is weak.  It is perhaps the easiest and cheapest way to increase IT security and yet it continues to receive short shrift.

The study also noted that "the files in [the] sample used the default weak encryption methods. Therefore, an adversary had two different ways to extract the PHI: by attacking the weak algorithm itself or by attacking the weak password."

The study's recommendations?  Fairly simple:  "use the built-in password protection capabilities available in tools for common file formats (such as WinZip and Microsoft Office) and then transmit the encrypted files" and "using PGP (Pretty Good Privacy) or S/MIME (Secure/Multipurpose Internet Mail Extensions)."

Tags: , , , , , ,

If You Haven't Changed Your Password Since Our Last Blog Entry About Passwords, It's Time You Did

Posted on December 15, 2010 by Colin J. Zick

In January, we provided some helpful hints about passwords, in our entry:  Is Your Password Still "123456"? If So, It's Time for a Change.

It's been nearly a year, so it's time to change your password again.  In case you need some help, we liked the guidance provided by the public radio program, Marketplace, in a recent broadcast.  Ironically, these recommendations come from an expert whose company's password databases had just been hacked.  

If you want to test the strength of your password, the expert recommended sites like Lastpass or 1Password.

Tags: , , , , , , ,

Is the Rejection of Security Advice by Users Really Rational? A Response to Cormac Herley

Posted on April 10, 2010 by Colin J. Zick

In the April 11, 2010, Boston Globe, there is an extended discussion of an article by Cormac Herley of Microsoft entitled, "So Long, And No Thanks for the Externalities:  The Rational Rejection of Security Advice by Users."  In his paper, Mr. Herley argues thoughtfully that compliance with even simple security measures, like changing your passwords, is so time-consuming that it is not worth the effort for most users.

This is an interesting argument and article (although it is a mite technical), as it poses an argument worthy of real consideration.  There is no dispute that security measures do decrease productivity to some extent.  The question that needs to be asked is how much does security actually impair productivity and is the cost in lost productivity less than the costs from an actual security breach?

As Mr. Herley suggests, the answers to this question are difficult, because of "externalities" -- economic costs that are visited on some people by the actions of others.   His solution is not simply to reject security measures, but to analyze them and determine what works and what does not, so that it is easier to determine what measures are worth users' time and what measures do not pay off.  In Mr. Herley's words, "security advice that has compelling cost-benefit trade-offs has a real chance of user adoption."  This trade-off analysis is a worthy exercise for any individual and for any organization.

Tags: , , , , ,

Incident of the Week: Free iPhone Password Breaker Released

Posted on February 5, 2010 by Gabriel M. Helmer

Back in October you may remember our post on Elcomsoft, a Russian software company that came out with program to decrypt common wireless network signals.  Well, they're back this week with a program that will "enable[ ] forensic access" to password-protected backups for Apple iPhone and iPod touch devices.  In other words, if someone obtains access to the computer you use to sync your iPhone they could also get access to "backups containing address books, call logs, SMS archives, calendars, camera snapshots, voice mail and email account settings, applications, Web browsing history and cache."  And while the program is in beta testing, Elcomsoft is even giving the program away for free

The program apparently uses the computing power of the latest generation of video cards to perform a dictionary or "wordlist-based attack" to recover the password needed to unlock the backup files.  This means that if your password can be found in a dictionary or a hacker's wordlist, there is a program out there that will unlock it.  With technology like this out there to decode commercially available encryption schemes, the best protection we may have is to select a sufficiently complex password to defeat wordlist based attacks (and not to use the same password for all your online activities as Twitter's recent incident and Trusteer's recent survey (.pdf) have suggested are rampant problems). 

Tags: , , , , , , , ,

Is Your Password Still "123456"? If So, It's Time for a Change

Posted on January 21, 2010 by Colin J. Zick

If you or your co-workers use any of the passwords listed below, you are asking to be hacked.  According to a report from the consulting firm Imperva, this list reflects an analysis of some 32 million passwords that an unknown hacker stole in December 2009 from RockYou, a company that makes software for users of social networking sites.  Somewhat shockingly, the password "123456" was used by nearly 1% of all RockYou users; the "top 20" RockYou passwords are reproduced below:   

1.    123456
2.    12345
3.    123456789
4.     Password
5.     iloveyou
6.    princess
7.    rockyou
8.    1234567
9.    12345678
10.   abc123
11.   Nicole
12.   Daniel
13.   babygirl
14.   monkey
15.   Jessica
16.   Lovely
17.   michael
18.   Ashley
19.   654321
20.   Qwerty

Hackers around the world now have this list of 32 million passwords and are using it to make brute force attacks on accounts and networks.  How can you defend yourself?  Change and toughen your passwords, lengthening them and adding a mix of letters and numbers.  If you are trying to defend your company's network, you need to adopt and enforce more rigorous password policies.  Tougher passwords will not make you or your networks hack-proof, but they will put you ahead of the thousands of people who still use "123456."

Tags: , , , , , ,

Incident of the Week: Russian Company Proves That WiFi/Wireless Networks No Longer Secure

Posted on October 15, 2009 by Gabriel M. Helmer

ElcomSoft Co. Ltd., a Moscow-based "password recovery" company, has announced that its  software can make an encrypted wireless network accessible using only a PC and the innovative computing power of consumer graphics cards from Nvidia.  This software would appear to allow anyone to intercept internet traffic over wireless networks encrypted with the WPA or WPA2 algorithms.  British security consultancy Global Secure Systems says that this is "extremely worrying" and has indicated that this means that WiFi networks are no longer secure.

Decrypting wireless traffic by guessing the encryption key, a "brute force" decryption, has been a possibility for some time; however, the computing power of most personal computers has prevented this from becoming a realistic threat (e.g., a computer attempting to guess the right password might take months or years to guess correctly).  New leaps in computing power has changed this landscape.  Computer graphics card companies like Nvidia have opened up the computing power bottleneck by allowing developers to run programs on high-powered parallel processors used in consumer graphics cards.  The end result is that buying a new video card and a $1,200 software package reportedly could speed up a brute force decryption 10,000 percent (and the same graphics card will let you play the newest PC games and speed up a variety of other, more innocent applications like Adobe Photoshop).  As a result, our use of wireless networks, everything from passwords to email, could be intercepted and decrypted relatively easily. 

David Hobson of Global Secure Systems indicates that anyone with a high-end graphics card has “a machine capable of tumbling wireless keys out of the ether and decrypting them in a matter of hours rather than months."  In an interview with SC Magazine, Hobson takes the view that additional security measures, such as running an encrypted VPN (Virtual Private Network), are now necessary to comply with the UK Data Protection Act. Similarly, U.S. companies in the EU Safe Harbor Program or complying with U.S. information security rules, such as Gramm Leach Blilely Act regulations, HIPAA or federal and state identity theft rules, need to consider whether their wireless networks are appropriately secured against this threat.  Businesses transferring regulated information on WiFi networks may need to adjust their information security programs and practices accordingly.

Links:

 

Tags: , , , , , , , , , , ,

Incident of the Week: Ever-Growing Breach Involving Passwords for Hotmail, Gmail, Yahoo, AOL, Earthlink and Comcast

Posted on October 8, 2009 by Jeff Bone

What started out as an incident involving the leak of 10,000 user names and passwords for Windows Live Hotmail accounts continues to grow, both in terms of users and companies affected.  According to reports from the beginning of the week, more than 10,000 user names and passwords from Hotmail were posted by an anonymous user on the site pastebin.com.  The list was limited to accounts starting in A and B, leaving the fear that numerous more accounts had been affected.  The original reports speculated that the breach was the result of a hack of Hotmail or a phishing attack.  But more information is surfacing that indicates that the breach is much larger than many first thought.

Subsequent reports have revealed that as many as 20,000 accounts have been compromised across numerous email providers, including Yahoo, AOL, Comcast, Earthlink and others, and that .  These reports noted that the affected companies believed that the breaches occurred because of phishing attacks (although one researcher, Mary Landesman, who works for ScanSafe, has said that "it's more likely that the massive lists . . . were harvested by botnets that infected PCs with keylogging or data stealing Trojan horses."

As more details emerge, it seems that more questions remain to be answered.  Exactly how many passwords have been compromised, and from how many companies?  Was the breach due to a single massive phishing attack, multiple smaller fishing attacks, or some type of malware? Why were lists of affected users posted online?  Whatever the answers, it might be a good idea to take a few minutes to change your email passwords from a computer that has been swept for viruses and malware.

Links:

 

Tags: , , , , , , , , , , ,