Graham Cluley, a Security Expert and blogger from Sophos got in contact after reading my recent posts on the latest Monster jobsite breach and the problem website passwords.
Graham had also highlighted the same issues with website passwords on his blog, and has put together nice little video explaining the issue, which he has kindly allowed me share below.
What the Monster.com security breach teaches us about passwords from Sophos Labs on Vimeo.
A UK view on Cybersecurity & Information Security, Everything Computer Security from the very basics to the advanced. A blog with a focus on the latest Cyber Security developments & issues in the UK, including Hacking, Privacy (GDPR), Data Breaches, security standards such as NIST, PCI DSS, Cyber Essentials & ISO27001, all will be simply explained.
Friday, 30 January 2009
Wednesday, 28 January 2009
Monster Jan09 breach: The Website Passwords Problem
Only a day or so after posting "The Problem with website Passwords" another big data breach at online job website “Monster” has come to light. What is particularly relevant to my last post and highly concerning, is in their breach statement Monster said website user account passwords were stolen along with other personal details, including Email addresses, names and user IDs.
"We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers" - statement from http://www.monster.com/
Firstly their web application is blatantly insecure by design, it's basic web application security for website (web application) passwords to be one-way hashed with a unique salt (number), which in other words making it pretty much impossible to obtain a user's actual password anyone, including a hacker or someone with full privileged access. This is because in using hashing means the website database does not store the user's actual password, but instead a unique hash (long number) equating to the user's password, which is checked upon sign on.
Secondly, as I said in the The Problem with website Passwords post, it is likely most Monster website users are using the same website credentials on other website accounts (i.e. user id, email address, their name, password), so hundreds of thousands of online banking, PayPal and eBay accounts are now likely to be at risk because of this breach, this is not just about Monster.com. On the black market this type of website account access information has high value, typically ten times the value of a stolen credit card for example, and this in my view is probably the reason why Monster was targeted for this information in the first place. Security monitoring of Monster accounts isn’t going to help as the horse as bolted, it is likely this information has probably been split up and already sold on around the world, just to repeat this point, the target of the breach is not to illicitly access people's CVs on Monster!
Finally Monster also stores an array of typical password reset questions, based on personal information only known to the website account holder. Monster didn't make any mention of this in their statement, but it's fair to assume these details were also stolen along with everything else, again providing fraudsters with all the information they need to impersonate a victim online, including resetting passwords on other websites. If this is indeed the case, I would have to say this is one of worst breaches I’ve seen, since it is putting Monster user's other websites usage at risk, from what I’ve read so far I think the media have missed this angle in reporting the breach and its potential significance and impact on the average joe.
My advice, if you are Monster user, change your Monster website password to something unique in case they are hacked again - let's be honest Monster have a history of data breaches now! Then ensure you aren't using that new password or your old Monster website password on any other website you are signed up with. And finally consider any Monster password reset questions you have in place and potential impact on other websites using the same reset questions.
"We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers" - statement from http://www.monster.com/
Firstly their web application is blatantly insecure by design, it's basic web application security for website (web application) passwords to be one-way hashed with a unique salt (number), which in other words making it pretty much impossible to obtain a user's actual password anyone, including a hacker or someone with full privileged access. This is because in using hashing means the website database does not store the user's actual password, but instead a unique hash (long number) equating to the user's password, which is checked upon sign on.
Secondly, as I said in the The Problem with website Passwords post, it is likely most Monster website users are using the same website credentials on other website accounts (i.e. user id, email address, their name, password), so hundreds of thousands of online banking, PayPal and eBay accounts are now likely to be at risk because of this breach, this is not just about Monster.com. On the black market this type of website account access information has high value, typically ten times the value of a stolen credit card for example, and this in my view is probably the reason why Monster was targeted for this information in the first place. Security monitoring of Monster accounts isn’t going to help as the horse as bolted, it is likely this information has probably been split up and already sold on around the world, just to repeat this point, the target of the breach is not to illicitly access people's CVs on Monster!
Finally Monster also stores an array of typical password reset questions, based on personal information only known to the website account holder. Monster didn't make any mention of this in their statement, but it's fair to assume these details were also stolen along with everything else, again providing fraudsters with all the information they need to impersonate a victim online, including resetting passwords on other websites. If this is indeed the case, I would have to say this is one of worst breaches I’ve seen, since it is putting Monster user's other websites usage at risk, from what I’ve read so far I think the media have missed this angle in reporting the breach and its potential significance and impact on the average joe.
My advice, if you are Monster user, change your Monster website password to something unique in case they are hacked again - let's be honest Monster have a history of data breaches now! Then ensure you aren't using that new password or your old Monster website password on any other website you are signed up with. And finally consider any Monster password reset questions you have in place and potential impact on other websites using the same reset questions.
Wednesday, 21 January 2009
The Problem with Website Passwords
We are all consumers of the Internet and as consumers we are heavily reliant website a single username and a password to identify and authenticate ourselves into the vast majority websites, the number of different websites any one typical individual is tapping in a username and password combination, is not only an awful lot and but is always increasing. Typically we are talking in the excess of 30 different websites, which range from e-commerce shopping websites, online banking, an auction sites, social networking websites, online Email, forums and message boards, World of Warcraft and even blog sites such as this one, so the list of websites requiring an individual access credential by an Internet consumer is pretty endless. Yet if someone else were to find out and use our website access credentials for ill gain, it can turn into a stressful situation at best, or a costly time consuming soul destroying nightmare of identity theft.
However when it comes to the security of our website passwords, it tends to be overlooked and “taken for granted” by us, the website consumer, even though it fall within our own security responsibility. Be truthful, do you really use different usernames and passwords for each different website? Naturally the vast majority of people I ask do not use different passwords for each individual website, for the simple reason a menagerie of passwords on thirty plus separate websites is too higher burden for the average person, and so memorising all those different passwords is just unacceptable security trade off to be accepted by most folk. Yet using the same combinations of username and password credentials on different sites presents an increased risk, should a single account access credential be compromised.
The “Single Sign-On” Solution
This problem is far from a new one, and Internet egg-heads have being trying to crack it for many years now, and hoping to make a buck or two in the process. The answer to the website username and password problem is to replicate how this same age old problem was tackled and generally resolved within the corporate network environment. Over a decade ago the same problem was faced within the corporate IT environment; where there many different IT Systems requiring different credential combinations for individual access, in fact today this problem is still happening in the corporate world to a lesser extent.
The answer to the problem was to use “single sign-on” access to authenticate a user once and use that master authenticating to grant the appropriate access to the many other systems within the corporate environment. The “single sign-on” solution is fairly easy to implement within the corporate environment, simply because the backbone corporate network access system can be implicitly trusted, with it being the entry point perimeter for all individual access within the environment, the “master” the of access control if you like. Using a “master” system for access control allows single sign-on access to be used to govern and control access to other IT systems and applications within the corporate environment. This has works well within private corporate networks, so we just need the same type of single sign on access for different Internet websites. So we require a perimeter “master” access control system, which can be implicitly trusted. Who can set this up and be implicitly trusted by the huge array of organisations and communities on the internet, oh that’s Microsoft, right?
Microsoft Single Sign-on
The Microsoft single sign-on system, originally dubbed “Net Passport” and now called “Windows Live” was launched many years ago with the purpose of being the de facto Internet website single sign-on, and indeed it was a real contender for a website single sign-on access. However for whatever reason (could it be trust?) it really never took off, with only Microsoft websites such as Xbox Live and the odd commercial website signing up to use the system.
Others have also tried creating a website internet single-sign, but it’s still all work in progress at the moment. I think one day a across the board trusted Internet single sign-on system will eventually happen, but I think it will be built around a more secure hardware token based system, rather than a password based system for access. However, the reality of today is the vast majority of websites require a username and password combination which is unique to that particular website.
The age old Password Problem
Using a username and password to control access has always been a problematic and far from a perfect security control. The specific problem is such as system is reliant on an individual memorising a password, which can cause the following yo-yo problem:
1. The first problem is people have a tendency to write down their passwords. The more complex the password requirement and the more difficult the password becomes to remember, the more likely the password will be written down by the user. Writing down passwords can pretty much remove the main purpose of having a password system in the first place. Another to which cause people to write down passwords, is if the password reset process is cumbersome to the individual, they more likely to write down than go through it again.
In the corporate world I come many access control systems using over zealous password requirements. For example a system using a complex password of at least 16 characters in length, with a forced change every 30 days actually increases the security risk of an account being compromised. The increased risk is simply because of the likelihood of the password being written down by the system users increases significantly. In my view, best practice is to force passwords to be complex with at least 8 characters in length, with a 90 day forced change and 3 attempt account lock out. The secret is the account lockout, which safeguards the system against bruteforce attempts and negates the requirement for over lengthy passwords and over zealous forced password changes. However what is interesting to compare here is that it is extremely rare that account lockout is used on Internet websites, other than with the odd online banking websites, which means hackers can and do brute force website accounts.
2. The second problem with Internet websites credentials is with the actual password reset process. Especially if you consider ecommerce sites, as the last thing they want is to make it too difficult for their consumers to access their shopping cart and to pay at the check out system. From their point of view, if a customer can’t log in, they can’t spend, so it doesn’t make good business sense for them so make the consumer password reset process over difficult when consumers forget their password, yet this introduces a security weakness.
Let’s take for Sarah Palin’s (remember her?) online Email account which was easily “hacked” during the recent American election campaign. Why was it easy? Well it is because her password reset question was easily guessable. In this case the password reset question was about her personal history, which just happened to be splashed across the media at the time.
If you look at the typical website password reset questions, What is your favourite colour? What’s your post code? What’s your date of birth? Where were you born? What’s your favourite sport?” What’s your dog’s name? What school did you first attend? What university did you attend?” Obtaining your account name and your email address, or guess them in some cases couple with details about your background can be enough for a cybercriminal to access your website account. You could find out the answers to most of these types of password reset questions using a search engine or within social network sites. In fact such personal details are sold by cybercriminals
I saw stats from the Serious Organised Crime Agency which said you can buy a complete package of UK personal data on an individual for £80. Actually I find from my research it’s a lot less, around £20 per package. What you get for your money along side a credit card or bank account information is a full profile, full name, full address, date of birth, educational history, and other miscellaneous information which can include pet names, and even children details. The bad guys even offer a guarantee it is correct! So when looking at those typical website password reset questions, you can understand why individual profile information has a lot more commercial value than bank and credit card details, as well as for the identity credit theft angle, where such details can be used to obtain credit fraudulently.
I know some of some UK banks which use a single factor username and password, together with personal question (i.e. what’s your mother maiden name?) to gain to online banking.
Many website actually email a new reset password or even the original password to the individual. Although there is one type of online website which doesn’t Email passwords but displays them on the webpage, and that’ web based Email, which is common used technique which hackers, in going for control of the targets web based Email, which ironically allows them to read password resets from other websites.
Summary
So if the password reset process is too difficult, as with most online bank accounts (not all of them though!), the more likely the consumer will write the password down somewhere. Quite often I find users tend to store their website passwords on their PC, usually in a Notepad or within a Word document on their desktop, talk about putting all your eggs in one basket! Sure this is a different risk to using the same combination of credentials over and over again on different websites, but still presents a risk. If you must put all your eggs in one basket by storing them, there are ways to store them securely on your PC, which usually involves an application and remembering another username and password!
Another method often used is to automatically store usernames and passwords in the web browser, so they automatically populate the credential fields on the website. Again not the best policy, especially if the PC is shared or in a cyber cafĂ©. Credentials held in browser cache are not usually stored encrypted and can be easily recovered, and some malware applications actually targets such information. In fact 95% of malware (viruses, worms, etc), have one aim, to steal data, with website access credentials top of their list. There many different types of malware attack, which can be simple as recording a person’s key strokes and secretly forwarding those details on, and there is even malware which will scan for files and documents matching the profile of holding account and password details. It’s not too hard, go to your search box and search for “password” for example.
In the corporate world, for some reason people like writing passwords onto Post-It notes and sticking to their monitors, another place to check is under the keyboard, which is a favourite of IT folk for some reason.
Tips
1. Use different passwords with different sites. Especially ensure you are use unique passwords for those highly sensitive websites, such as your online banking and any e-commerce websites which store your payment card information.
2. If you need to store your array of passwords, ensure they are stored encrypted. You could use“password vault” application or encryption software such as TrueCrypt or PGP to create an encrypted file or folder.
3. Be careful setting your password reset questions.
Good systems let you set your own question yourself. If it does ensure it is a question that no-else could guess.
TIP: If a friend or close relative doesn’t know the answer to your question, then it’s a good password reset question.
If the system uses bad password reset questions, such as “What’s your first school? Lie in the answer and put something different that you remember, but ensure you can remember that lie!
In the corporate world it is best practice to change your passwords every 90 days, however most people never ever change their online password. But if you can find time, try to change your website password on annual basis.
TIP: Pay particular attention to older passwords on systems, which tend to use poor passwords complexity requirements, meaning they can be brute forced or are guessable.
4. Ensure your Anti-Virus is enabled and up-to-date. 95% of Malware (Virus, Worms), collect information, especially website login credentials, which can collected from browser cache (stored passwords) or from monitoring what’s typed by the user (known as a key logger). Keeping your Anti-Virus up-to-date will help keep such malware at bay.
However when it comes to the security of our website passwords, it tends to be overlooked and “taken for granted” by us, the website consumer, even though it fall within our own security responsibility. Be truthful, do you really use different usernames and passwords for each different website? Naturally the vast majority of people I ask do not use different passwords for each individual website, for the simple reason a menagerie of passwords on thirty plus separate websites is too higher burden for the average person, and so memorising all those different passwords is just unacceptable security trade off to be accepted by most folk. Yet using the same combinations of username and password credentials on different sites presents an increased risk, should a single account access credential be compromised.
The “Single Sign-On” Solution
This problem is far from a new one, and Internet egg-heads have being trying to crack it for many years now, and hoping to make a buck or two in the process. The answer to the website username and password problem is to replicate how this same age old problem was tackled and generally resolved within the corporate network environment. Over a decade ago the same problem was faced within the corporate IT environment; where there many different IT Systems requiring different credential combinations for individual access, in fact today this problem is still happening in the corporate world to a lesser extent.
The answer to the problem was to use “single sign-on” access to authenticate a user once and use that master authenticating to grant the appropriate access to the many other systems within the corporate environment. The “single sign-on” solution is fairly easy to implement within the corporate environment, simply because the backbone corporate network access system can be implicitly trusted, with it being the entry point perimeter for all individual access within the environment, the “master” the of access control if you like. Using a “master” system for access control allows single sign-on access to be used to govern and control access to other IT systems and applications within the corporate environment. This has works well within private corporate networks, so we just need the same type of single sign on access for different Internet websites. So we require a perimeter “master” access control system, which can be implicitly trusted. Who can set this up and be implicitly trusted by the huge array of organisations and communities on the internet, oh that’s Microsoft, right?
Microsoft Single Sign-on
The Microsoft single sign-on system, originally dubbed “Net Passport” and now called “Windows Live” was launched many years ago with the purpose of being the de facto Internet website single sign-on, and indeed it was a real contender for a website single sign-on access. However for whatever reason (could it be trust?) it really never took off, with only Microsoft websites such as Xbox Live and the odd commercial website signing up to use the system.
Others have also tried creating a website internet single-sign, but it’s still all work in progress at the moment. I think one day a across the board trusted Internet single sign-on system will eventually happen, but I think it will be built around a more secure hardware token based system, rather than a password based system for access. However, the reality of today is the vast majority of websites require a username and password combination which is unique to that particular website.
The age old Password Problem
Using a username and password to control access has always been a problematic and far from a perfect security control. The specific problem is such as system is reliant on an individual memorising a password, which can cause the following yo-yo problem:
1. The first problem is people have a tendency to write down their passwords. The more complex the password requirement and the more difficult the password becomes to remember, the more likely the password will be written down by the user. Writing down passwords can pretty much remove the main purpose of having a password system in the first place. Another to which cause people to write down passwords, is if the password reset process is cumbersome to the individual, they more likely to write down than go through it again.
In the corporate world I come many access control systems using over zealous password requirements. For example a system using a complex password of at least 16 characters in length, with a forced change every 30 days actually increases the security risk of an account being compromised. The increased risk is simply because of the likelihood of the password being written down by the system users increases significantly. In my view, best practice is to force passwords to be complex with at least 8 characters in length, with a 90 day forced change and 3 attempt account lock out. The secret is the account lockout, which safeguards the system against bruteforce attempts and negates the requirement for over lengthy passwords and over zealous forced password changes. However what is interesting to compare here is that it is extremely rare that account lockout is used on Internet websites, other than with the odd online banking websites, which means hackers can and do brute force website accounts.
2. The second problem with Internet websites credentials is with the actual password reset process. Especially if you consider ecommerce sites, as the last thing they want is to make it too difficult for their consumers to access their shopping cart and to pay at the check out system. From their point of view, if a customer can’t log in, they can’t spend, so it doesn’t make good business sense for them so make the consumer password reset process over difficult when consumers forget their password, yet this introduces a security weakness.
Let’s take for Sarah Palin’s (remember her?) online Email account which was easily “hacked” during the recent American election campaign. Why was it easy? Well it is because her password reset question was easily guessable. In this case the password reset question was about her personal history, which just happened to be splashed across the media at the time.
If you look at the typical website password reset questions, What is your favourite colour? What’s your post code? What’s your date of birth? Where were you born? What’s your favourite sport?” What’s your dog’s name? What school did you first attend? What university did you attend?” Obtaining your account name and your email address, or guess them in some cases couple with details about your background can be enough for a cybercriminal to access your website account. You could find out the answers to most of these types of password reset questions using a search engine or within social network sites. In fact such personal details are sold by cybercriminals
I saw stats from the Serious Organised Crime Agency which said you can buy a complete package of UK personal data on an individual for £80. Actually I find from my research it’s a lot less, around £20 per package. What you get for your money along side a credit card or bank account information is a full profile, full name, full address, date of birth, educational history, and other miscellaneous information which can include pet names, and even children details. The bad guys even offer a guarantee it is correct! So when looking at those typical website password reset questions, you can understand why individual profile information has a lot more commercial value than bank and credit card details, as well as for the identity credit theft angle, where such details can be used to obtain credit fraudulently.
I know some of some UK banks which use a single factor username and password, together with personal question (i.e. what’s your mother maiden name?) to gain to online banking.
Many website actually email a new reset password or even the original password to the individual. Although there is one type of online website which doesn’t Email passwords but displays them on the webpage, and that’ web based Email, which is common used technique which hackers, in going for control of the targets web based Email, which ironically allows them to read password resets from other websites.
Summary
So if the password reset process is too difficult, as with most online bank accounts (not all of them though!), the more likely the consumer will write the password down somewhere. Quite often I find users tend to store their website passwords on their PC, usually in a Notepad or within a Word document on their desktop, talk about putting all your eggs in one basket! Sure this is a different risk to using the same combination of credentials over and over again on different websites, but still presents a risk. If you must put all your eggs in one basket by storing them, there are ways to store them securely on your PC, which usually involves an application and remembering another username and password!
Another method often used is to automatically store usernames and passwords in the web browser, so they automatically populate the credential fields on the website. Again not the best policy, especially if the PC is shared or in a cyber cafĂ©. Credentials held in browser cache are not usually stored encrypted and can be easily recovered, and some malware applications actually targets such information. In fact 95% of malware (viruses, worms, etc), have one aim, to steal data, with website access credentials top of their list. There many different types of malware attack, which can be simple as recording a person’s key strokes and secretly forwarding those details on, and there is even malware which will scan for files and documents matching the profile of holding account and password details. It’s not too hard, go to your search box and search for “password” for example.
In the corporate world, for some reason people like writing passwords onto Post-It notes and sticking to their monitors, another place to check is under the keyboard, which is a favourite of IT folk for some reason.
Tips
1. Use different passwords with different sites. Especially ensure you are use unique passwords for those highly sensitive websites, such as your online banking and any e-commerce websites which store your payment card information.
2. If you need to store your array of passwords, ensure they are stored encrypted. You could use“password vault” application or encryption software such as TrueCrypt or PGP to create an encrypted file or folder.
3. Be careful setting your password reset questions.
Good systems let you set your own question yourself. If it does ensure it is a question that no-else could guess.
TIP: If a friend or close relative doesn’t know the answer to your question, then it’s a good password reset question.
If the system uses bad password reset questions, such as “What’s your first school? Lie in the answer and put something different that you remember, but ensure you can remember that lie!
In the corporate world it is best practice to change your passwords every 90 days, however most people never ever change their online password. But if you can find time, try to change your website password on annual basis.
TIP: Pay particular attention to older passwords on systems, which tend to use poor passwords complexity requirements, meaning they can be brute forced or are guessable.
4. Ensure your Anti-Virus is enabled and up-to-date. 95% of Malware (Virus, Worms), collect information, especially website login credentials, which can collected from browser cache (stored passwords) or from monitoring what’s typed by the user (known as a key logger). Keeping your Anti-Virus up-to-date will help keep such malware at bay.
Sunday, 11 January 2009
Why UK Data Breach Disclosure Laws are Necessary
Just before Christmas, a UK national press reporter asked for my views on public disclosure of data breaches by UK companies. The reporter was writing a piece highlighting UK companies and organisations which appear not to have a policy of publicly discolouring their data breaches, and were even dead set against any moves for new UK laws forcing public disclosure.
I think the reporter was expecting a "the public has the RIGHT to know" type response; however I see a more overall fundamental benefit for having laws in place to ensure all UK companies and organisations fully disclosure data breaches to the UK general public...
“Public disclosure of data breaches plays an important role in driving security improvement across industries. Public scrutiny and criticism often acts as a wake up call to companies running unnecessary risks, especially those operating in the same industry as the breached organisation. There is nothing like seeing a competitor made to run over hot coals due to a data breach, to invoke a Board level reaction within similar type companies, which leads to self assessment (could this happen to us?) and quick instigation of security improvements. If you found out your next door neighbours house was burgled, isn’t one of your first reactions to assess your own home’s security?
The public are entitled to be fully informed about data breaches, not just those individuals affected. As consumers, we want to make a fully informed decision when buying products and services, and knowingly or not, security and trust comes into play with our decision process. This is especially the case with companies which take and hold our money and personal details. Such informed consumer choice, provides competitive pressurises, ensuring companies meet their security obligations, responsibility and entrustment demanded by their customers.
Keeping data breaches secret is a dangerous approach, as this approach prevents public discussion and the raising of security awareness. As a result other companies are not benefiting and learning the lessons, and so are not driving security improvement and can continue to run unnecessary risks with their customer’s information.”
I think the reporter was expecting a "the public has the RIGHT to know" type response; however I see a more overall fundamental benefit for having laws in place to ensure all UK companies and organisations fully disclosure data breaches to the UK general public...
“Public disclosure of data breaches plays an important role in driving security improvement across industries. Public scrutiny and criticism often acts as a wake up call to companies running unnecessary risks, especially those operating in the same industry as the breached organisation. There is nothing like seeing a competitor made to run over hot coals due to a data breach, to invoke a Board level reaction within similar type companies, which leads to self assessment (could this happen to us?) and quick instigation of security improvements. If you found out your next door neighbours house was burgled, isn’t one of your first reactions to assess your own home’s security?
The public are entitled to be fully informed about data breaches, not just those individuals affected. As consumers, we want to make a fully informed decision when buying products and services, and knowingly or not, security and trust comes into play with our decision process. This is especially the case with companies which take and hold our money and personal details. Such informed consumer choice, provides competitive pressurises, ensuring companies meet their security obligations, responsibility and entrustment demanded by their customers.
Keeping data breaches secret is a dangerous approach, as this approach prevents public discussion and the raising of security awareness. As a result other companies are not benefiting and learning the lessons, and so are not driving security improvement and can continue to run unnecessary risks with their customer’s information.”