Will Tech Industry Ever Fix Passwords?
What LinkedIn and other recent breaches tell us about widespread security risks as we embrace social media and cloud applications in the enterprise.
Mon, July 16, 2012
CIO — After the recent security breach that hit professional social networking site LinkedIn, social media companies are scrambling to patch over their poor security practices. Wait too long to address known security holes, and CIOs should worry about seeing their companies targeted, hacked and eventually vilified in the press.
The list of major breaches gets longer every day: LinkedIn, eHarmony and Last.fm are just the recent ones. Add to that list the Department of Defense, TJX, Sony, Heartland Payment Systems, Emory Healthcare, Global Payments ... well, you see where this is going.
Damaging data breaches are the norm in 2012, not the exception.
According to the Identity Theft Resource Center, there were 189 known breaches from Jan. 1 of this year through the beginning of June. Those breaches have exposed approximately 13.7 million records.
Why LinkedIn Is Different (and Why It's Not)
The nature of the data involved helps explain why the LinkedIn breach has gotten so much attention. "LinkedIn's data is of much higher quality than other sites," says Paul Kocher, president and chief scientist at Cryptography Research, Inc. (CRI). "There is just so much information about who people really are and what is important to them."
With high-quality information, attackers can launch much more sophisticated and targeted attacks.
But in other respects, the attack isn't out of the norm. "People are shocked by LinkedIn's poor security practices, but this is widespread," Kocher noted. "Plenty of organizations are far worse off than LinkedIn. It's easy to start fixing security when you're motivated by a breach, but until then, many organizations hope for the best."
Passwords: The Root of All Data Breach Evils
A number of recent high-profile attacks (Aurora, RSA, Stuxnet, LinkedIn and attacks on many defense contractors) have been traced to compromised passwords.
"The modus operandi has been similar -- a targeted email containing malware infiltrates a PC and hides its tracks using a rootkit. Later it contacts its command server and downloads a keylogger/screen scraper module, which performs the intended objective: stealing user credentials resulting in the theft of vital data," says George Waller, executive vice president at security firm StrikeForce Technologies.
To make matters worse, in this age of cloud computing, SaaS and increased mobility, users are spreading their credentials everywhere. Passwords are inherently weak. Dictionary attacks are standard and rainbow tables can be used to crack more sophisticated passwords.
"The concept of having users deploy their passwords to every cloud site is nuts," says Garret Grajek, CTO of SecureAuth Corporation. "It would be a mistake, however, to conclude that this makes the cloud inherently insecure."