Have you Considered Online Security?
Haven't read part one? Catch up here
A good starting point is to see which systems you register on send you an email containing your user name and password, even if this is in two separate emails. To me, that suggests that they haven't thought through the security implications. Email is inherently insecure and even if you plan to change your password quickly, it can be intercepted and for a short while your account is vulnerable.
Try this out to see how they handle it. If they send you the password back in plain text it means that either they store it in plain text (and are vulnerable to all sorts of internal and external breaches) or they have a script on the server that de-crypts it. The latter also of course being available to the hacker.
The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification?
The story of Mat Honan
If this is the case think twice about registering on the site. Certainly use a password unique to that system and keep your personal data to a minimum. Definitely do not store financial information there. It may soon come to pass that the Credit Card companies start to use excuses for not paying out where they feel you should have been more aware and taken greater care.
A secure system stores the password in encrypted form and cannot easily get back to the original password. Instead they will have to set a process where you go back to the site to change it either from a link sent directly to your email address or through answering security questions (or both).
Choosing and Recalling Your Password
If, like me, you have a couple of hundred sites you log in to, it starts to get a little difficult to remember all the unique, mixed alpha/numeric/upper/lower case/special character passwords. I therefore categorise the sites and then do, admittedly, share a common password on some. For example the forum sites I use where I have little or no personal data all have the same memorable password. Each finance site though has a different one that has a common route in either a memorable event or place, but gets changed every 3-6 months.
Form of a Password
Take another look at Troy Hunts blog. The frequency of 6 and 8 character passwords is clear and the reason obvious – anything longer is hard to recall if we have been clever with the creation. And don't assume that just replacing A=4, Z=2, E=3, S=5, O=0 etc is any good. The hackers will have a simple script that substitutes those letters automatically when guessing words you have used.
Which of these passwords do you think could be broken first?
abc123 or J6s+A$un
and if the hackers had a file of a million encrypted passwords would they wait to use them until they had all decrypted? No, so make yours one of the last they are likely to crack.
- 8-10 characters
- Mixed alpha-numeric-punctuation
- Include upper and lower case
- Try mixing a remembered letter pattern with a memorable number
- Don't use names, places or dates
Is that Going to be Enough?
But it is sometimes not in your control. These two events highlight the problem where you could have taken all your precautions but something fundamental in the internal processes makes an area you have no knowledge of vulnerable and key accounts lost then give access to everything.
Infolink is a small breach of just under 2,000 accounts but that included the details of 46 system administrators.
Toshiba lost just under 8,000 customer records when 11 administrator user IDs and corresponding plain text passwords were stolen.
These highlight the need to keep every system separate as far as possible. If a system has been breached in this way the username and password may match other sites you use.
Only as Strong as the Weakest Link
Even after you take every precaution you can think of, events such as the two above can undo everything. So then think about your own organisation.
- Are your administrator passwords encrypted and secure?
- How quickly is a leavers account disabled?
- How soon do you change passwords on systems they had access to?
- What do you do about social media site login details?
- Are any login details shared?
- Can you trace back who made changes?
- Can a leaver download and email data?
The faster you consider possible vulnerabilities and fix them, the faster people think of ways around them. So make sure security is second nature and you have most doors closed and locked and only need to think about possible new routes in.
If you are then taking control of your systems and looking after your clients data, then we can hope that others are out there looking after yours – as well as you.
And the Scariest to Date?
Team GhostShell are a collective of hackers who have released 1 million records garnered from 100 websites of banks, US agencies and consultancies. They took user IDs, passwords and files – bit of a mix. Some of the files are reported to contain credit histories.
It appears the objective was to highlight how some of the content management systems used by the attacked organisations were either insecure or contained sensitive data that the site was not intended to hold.
In the end the attacks were all through what is known as a "SQL Injection" – a very basic mistake where a hacker finds a form were they can inject code that breaks the system. This is the first thing that any self-respecting web development company should fix. I've heard it referred to as (trying to pick a lock to find the door is unlocked in any case".
Come back in a few days for some more insights on keeping yourself safe – one of the cornerstones of Free Rein's philosophy.