in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

September 2015 - Posts

  • Courts Concrete FTC As Nation's Cyber Supercop

    That the Federal Trade Commission (FTC) has court-approved authority to bring legal action against companies embroiled in data breaches is old news by now. Of course, when you consider that the FTC has been suing companies over data breaches since 2005, and has over 40 such cases under its belt to date, this doesn't sound like groundbreaking news. Indeed, for all intents and purposes, everyone appeared to accept that the FTC should be playing cybercop.  

    It's a Bold Move

    Everyone, that is, except Wyndham Worldwide Corporation, a hotel and resorts company. After being sued by the FTC – how could they not? Wyndham had experienced three data breaches over two years; let's face it, that's up there as data breaches go – the company argued that the FTC did not have the authority to bring legal actions against companies for data breaches.

    Last month, the courts declared otherwise. The Third US Circuit Court of Appeals sided with the FTC and declared that the Commission did indeed have the right (some might even say the duty) to go after companies that were remiss in protecting customers' sensitive data. Wyndham begs to differ (my emphasis):

    "While we are disappointed by today's opinion, we continue to contend the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security," Michael Valentino, a spokesperson for Wyndham Worldwide, told BuzzFeed News.
    I guess Wyndham could try to get an opinion from the US Supreme Court. If anything, Wyndham cannot be accused of not having enough panache. I'll bet their hotels are excellent.  

    Where's the Beef?

    One of the arguments that Wyndham made, and will probably make once they're back in the lower courts (they still have to defend themselves against the FTC's accusations), is that the FTC didn't make clear what comprised the level of security it was looking for. It turns out that it may be a moot point: according to the FTC accusations, which the court made a point to draw attention to, Wyndham was being sued because it did not have certain security in place, never mind the level of security:
    the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points, … did not restrict specific IP addresses at all, … did not use any encryption for certain customer files, … and did not require some users to change their default or factory-setting passwords at all.
    Think of it this way: if a friend asks you to pick up some beer at the store, there's a heck of difference between saying,
    • hey, I didn't know what kind you liked, so I got this (nice. It's the thought that counts)
    • hey, I didn't know what kind you liked, so I got all of these different ones (generous, although there's a chance you missed the mark)
    • hey, I didn't know what kind you liked, so I didn't get you any (no need to comment, I imagine)

    Likewise, the complaints Wyndham are throwing around about security levels is a deflated one if the FTC is right.

    The court also pointed out that FTC action was brought against a different company in the past for essentially the same issues Wyndham was being accused of. It goes without saying that if one company was sued because of certain security shortcomings, then a different company would also be sued for the same.

    Also, consider that (a) there was a period of 6 years between Wyndham and the company given as an example, meaning the former had more than adequate time to put something in place and (b) Wyndham had been hacked three times in two years. Three times!

    Furthermore, if the accusation holds, Wyndham's three data breaches were essentially more of the same: if shortcomings were shored up after the first breach, the second and third data breaches could very well not have taken place.  

    Fair Notice of Proposed Standards for Data Security

    Among all the untenable things that Wyndham has proclaimed, there is one salient truth: the FTC has never issued guidance on what cybersecurity measures are considered reasonable. It could be argued that Wyndham failed to use and to implement specific data security and protection measures and policies because such guidance was lacking. There is no denying that the dissemination of an official to-do list would make it easier to adhere to best practices.

    The thing is, there are plenty of companies around the size of Wyndham that are doing an excellent job of protecting customer data – or at least, meeting the lowest possible acceptable standards – despite the lack of a data security guideline from the FTC.

    (Wyndham ranked #497 in the 2015 Fortune 500 list, in case you're wondering whether the company has the financial wherewithal to properly secure data.)

    True, many companies in the Fortune 500 tend to be in the technology sector, making things a little bit easier for them. But, Wyndham being in the hospitality business is not much of a defense: they can always hire consultants. Chances are, they already have, currently do, and will continue to do so. After all, someone in the tech sector has to set up and run their global POS network, customer loyalty tracking software, global CRM, etc. The argument that Wyndham didn't have the proper data security and technology in place because, simply put, they didn't know what to use, is a shallow one and an impermissible one at that.

    The argument seems even less believable when you consider that there are many laws and industry regulations and agreements geared towards preventing the types of blunders that Wyndham is accused of engaging in. It's the 2010's; one does not simply argue that they failed to properly secure their network because there were no guidelines.  

     

    Related Articles and Sites: http://www.wsj.com/articles/appeals-court-affirms-ftc-authority-over-corporate-data-security-practices-1440425754
    http://arstechnica.com/tech-policy/2015/08/ftc-can-sue-companies-with-poor-information-security-appeals-court-says/
    http://www.wired.com/2015/08/court-says-ftc-can-slap-companies-getting-hacked/
    http://www.buzzfeed.com/hamzashaban/court-says-ftc-can-sue-companies-for-sloppy-cybersecurity

     
  • Ashley Madison Passwords Easy To Crack After All

    Ah, Ashley Madison. Even as one tries to move away from it to other issues, new problems surface like toxic malaise at a swamp: fraudulent $19 data scrubbings, men being conned by bots, some of the weakest passwords known to mankind securing their servers, an ex-CTO who supposedly hacked the competition… Michael Corleone, I get you now

    Remember how, at the beginning, despite everything that happened, Ashley Madison was given something of a tentative kudos for using bcrypt to secure their clients' passwords? The hashing algorithm that hinders brute-force hacking, and thus the unauthorized recovery, of passwords?  

    Congratulations Released Prematurely

    Well, according to Ars Technica, a team of crypto-cracking enthusiasts has found that the Ashley Madison passwords – released into the internet on August 18, along with internal emails and other data – were not strongly secured when you really get down to it. Yes, bcrypt was used. Yes, bcrypt is one of the better ways to secure passwords against brute-forcing. But it became a moot point (from arstechnica.com):
    CynoSure Prime…an astounding discovery: included in the same database of formidable bcrypt hashes was a subset of 15.26 million passwords obscured using MD5, a hashing algorithm that was designed for speed and efficiency rather than slowing down crackers.
    Digging into emails, the hobbyist hackers discovered that prior to June 14 of 2012, MD5 was used to secure passwords. It was only after this date that bcrypt was used. Furthermore, it turns out that Ashley Madison's engineers only used the lowercase of the alphabet when creating and storing MD5 hashes, which could indicate that Ashley Madison's customers may not have been as irresponsible when creating their passwords. For what it's worth, pasSworD is nominally more secure than password, but there's no way for us to know now if potential philanderers were cognizant of this detail. Incidentally, this is not the first time that I've run across a company transforming customers' passwords into less secure versions of themselves. Amazon, for example, supposedly was truncating and capitalizing passwords in the past. What are the ramifications when passwords are transmogrified in this manner? Again, from arstechnica.com:
    If the setting was a nearly impenetrable vault preventing the wholesale leak of passwords, the programming errors—which both involve an MD5-generated variable the programmers called $loginkey—were the equivalent of stashing the key in a padlock-secured box in plain sight of that vault
    In other words, because the MD5 passwords correspond to a subset of the bcrypt passwords, the former were attacked, since it was much easier to do, to gain the latter. It should be noted that this means only a subset of the passwords were easily compromised (if you can call 15 million out of 36 million a subset; it certainly is, but so is 36 million out of 36 million). As a client, if you signed up after June 2012, the assumption is that your password is still safe, assuming you didn't pick a weak one.  

    What Happened in 2012?

    "[Ashley Madison's] parent company Avid Life Media was at risk of a security breach," predicted the company's CTO in 2012. This was a comment, according to businessinsider.com, on the Grindr hack of January 2012. He also wrote (from vice.com):

    "With what we inherited with Ashley [Madison], security was an obvious afterthought and I didn't focus on it either," the company's founding CTO Raja Bhatia wrote at the beginning of 2012. "I am pretty sure we stored passwords without any cryptography so a database leak would expose all account credentials.

    Could this have been the impetus behind the switch to bcrypt from MD5 - a bungled one, obviously? If so, perhaps the criticism that they weren't interested in security at all should be curtailed a bit. Naturally, all other criticisms are still valid.

     

    Related Articles and Sites:

    http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/
    http://cynosureprime.blogspot.kr/2015/09/how-we-cracked-millions-of-ashley.html
    http://www.businessinsider.com/ashley-madison-cto-predicted-security-risk-in-2012-2015-8
    http://motherboard.vice.com/read/security-was-an-afterthought-hacked-ashley-madison-emails-show
     
  • Password Security: Ashley Madison Patrons Had Terrible Passwords

    Last week, motherboard.com reported that 4000 cracked passwords belonging to Ashley Madison customers were "awful," security-wise. The site went on to conclude that:
    It's understandable for users to be frustrated with Ashley Madison for failing to protect their data. But when customers are choosing passwords that could probably just be guessed, they need to take some responsibility for their own security.
    How bad were these passwords? Well, the usual suspects did make an appearance: 12345, password, abc123, etc. – the type of passwords data security professionals worth their salt would cry over. You can see the list by visiting pxdojo.net. Notice anything unusual about the three passwords I've listed?

    Password Requirements Like It's 1999

    One of the things that immediately came to my attention was the password length. Over the past five years or so security researchers published papers showing that short passwords are worthless. The last time I checked, an adequate password (in this case, "adequate" is being used in its pejorative sense) was around 15 characters long.

    When looking at the cracked Ashley Madison passwords, there is more than a handful of passwords that are only 5 characters long. Plus, many of them were straight up numbers like 12345. No letters, no special characters, etc.

    I thought it odd, so I visited the Ashley Madison site to see what type of password requirements they had for wannabe adulterers and adultery-enablers. In essence, they had no requirements. Passwords have to have at least 5 characters. They max out at 28 characters. There appear to be no requirements for mixing numbers, letters, capitalization, and special characters. Just make sure they're 5 characters long. That's all.

    In light of this, I find it amazing that, of the list of nearly 4000 cracked passwords, only 417 passwords were 5 characters long:

     

    Password length      1      2      3      4
      5 6 7 8     9    10    11    12
    Instances found 9 0 0 1  417  1859  804  696  157   36  6 0

     

    Let's face it, this doesn't mean that Ashley Madison clients were, ahem, "security conscious." The popularity for passwords longer than the bare minimum could be explained by other factors, such as most words being longer than 5 characters (I don't know if this is factual; I'm just floating it as a possibility).

    But I did notice that a subset of the passwords were non-words like 12345. So, I went through the list and fished out the ones that were numbers-only or nonsensical (like zxcvbnm).

     

    Password length     1     2     3     4 5 6 7 8 9   10   11   12
    Instances found 9 0 0 1   153   453   48   61    36 8 2 0

     

    As you can see, even when a person is making up a password from scratch, it tends to be longer than 5 characters in length. Why? Some of it is, no doubt, because of the keyboard layout. For example, zxcvbnm represents the lower row for a QWERTY keyboard layout. Likewise, qwertyuiop and 1234567890 represent the upper rows. But, this fails to explain passwords like 1111111111 (that's 10 ones).

    I can only conclude that people are using passwords that are longer than the required minimum because all the chatter about data security and passwords is finally sinking in. This is something we should be happy about.

    Still, password length is not the end all, be all of password security. When it comes to passwords, even more important than length is variety. There is a reason why most websites will force a user for a password that is at least 6 characters in length and uses a mix of upper and lower case letters, numbers, and special characters.

    Some will even go as far as check that the email handle is not used as part of the password. Which, unsurprisingly, wasn't part of Ashley Madison's password requirements. One of the commentators at pxdojo.net was doing his own research on the breached passwords, and he posted 18,000 instances where the passwords were an exact match to the email address.

    When you consider all the rudimentary things Ashley Madison did not require of their clients' passwords, I'm not sure if I can agree with motherboard.com's assessment that "customers [who] are choosing passwords that could probably just be guessed…need to take some responsibility for their own security."

    Rightly or wrongly, people are going to opt for the least hassle when it comes to passwords. We know that this is true; this is why websites put up password requirements. The lack of such requirements is enough to make me wonder if Ashley Madison was taking security seriously.

    Fault's on Ashley Madison, Not the Users

    Of course, now that we know that the company set up a bunch of bots to lure men into paying for full access to the site; that pass1234 gave the hackers full access to the company's servers; that the $19 charge for completely deleting a user's data from their servers was less than effective, and possibly fraudulent; and a bunch of other accusations… well, its obvious that security – or running a legitimate business – was probably not at the top of Ashley Madison's to-do list.

    Indeed, it makes me wonder whether their use of bcrypt to hash passwords was a fluke. Bcrypt is supposedly one of the best methods for hashing passwords because it's slower than other hashing algorithms (slow is good when it comes to hashes. It means you can't test and crack encrypted passwords as fast as possible. With bcrypt, you'd find one password when other hashes already gave up 100).

    Of course, in this light, the users can be faulted for their own security, as the use of weak passwords means that they've also potentially compromised the security at other websites…assuming they've been reusing their passwords, which is very highly probable.

    Ultimately, though, a data breach is a matter of "when" and not "if." If you value not being associated with a site like Ashley Madison, the only winning move is not to play.

     

    Related Articles and Sites:

    http://motherboard.vice.com/read/someone-cracked-4000-ashley-madison-passwords-and-loads-of-them-are-awful